Third-Party Directory Integration Concepts and Considerations 16-7 ■ What objects to synchronize, for example: – The portion of the DIT that you want to synchronize. You can synchronize the entire DIT or just a portion of it. – For each entry, the specific contents that you want to synchronize. You can synchronize the entire content of the entry or just a portion of it. ■ Where to synchronize. You have two options: – You can synchronize so that the relative position of each entry in the DIT is the same in the source and destination directories. This configuration, called one-to-one distinguished name mapping, is the most commonly used configuration. Because the source DN is the same as the destination DN, this configuration provides better performance than when the two DNs are different. – You can synchronize so that the relative position in the DIT of each entry in the destination directory is different from that in the source directory. In this configuration, the Oracle Directory Integration Platform must change the DN values of all entries being mapped, including their references in group entries. This requires more intensive computation. If you synchronize in this way, you need to use the dnconvert mapping rule as described in Supported Attribute Mapping Rules and Examples on page 6-10.

16.1.3.3 Example: Integration with a Single Third-Party Directory Domain

Figure 16–2 shows an example of one-to-one mapping between Oracle Internet Directory and a third-party directory. Figure 16–2 Default DIT Structures in Oracle Internet Directory and a Third-Party Directory When Both Directory Hosts Are Under the Domain us.MyCompany.com In the one-to-one mapping illustrated in Figure 16–2 : See Also: The section Choose the Structure of the Directory Information Tree on page 16-16 for more information about planning the directory information tree Oracle Internet Directory user_2 user_1 user_3 user_N users dc=us dc=MyCompany dc=com [Root DSE] Third-Party Directory user_2 user_1 user_3 user_N users us.MyCompany.com 16-8 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ Both Oracle Internet Directory and the third-party directory hosts have the same topology. ■ Users are synchronized only from the third-party directory to Oracle Internet Directory. All users to be synchronized are stored in one container in the third-party directory, in this case users.us.MyCompany.com. ■ The same DIT structure is maintained in both the third-party directory and Oracle Internet Directory. All users appear in the same users subtree identified by the value cn=users,dc=us,dc=MyCompany,dc=com. In the example shown in Figure 16–2 , only the users subtree must be synchronized from the third-party directory to Oracle Internet Directory using one-to-one domain mappings.

16.2 Planning Your Integration Environment

This section describes how to plan your integration environment. It contains these topics: ■ Preliminary Considerations for Integrating with a Third-Party Directory ■ Choose the Directory for the Central Enterprise Directory ■ Customizing the LDAP Schema ■ Choose Where to Store Passwords ■ Choose the Structure of the Directory Information Tree ■ Select the Attribute for the Login Name ■ Select the User Search Base ■ Select the Group Search Base ■ Decide How to Address Security Concerns ■ Administering Your Deployment with Oracle Access Manager

16.2.1 Preliminary Considerations for Integrating with a Third-Party Directory

If you are deploying Oracle Internet Directory in an enterprise that already has an LDAP directory server, then you must configure both directories to coexist in the same environment. The coexistence of directories requires either of two different types of deployments: ■ Simple synchronization with Oracle Internet Directory to support Enterprise User Security. Use this approach if your environment supports enterprise users by using a database server. Note: In Figure 16–2 , the two directories have the same topology, but be aware that this is for illustration purposes only. The two directories do not need to be in the same domain. Oracle Internet Directory can be anywhere in the network, provided it can connect to the third-party directory. In addition, although the synchronization in the example is one-way, from the third-party directory to Oracle Internet Directory, the synchronization can, alternatively, be bi-directional. Third-Party Directory Integration Concepts and Considerations 16-9 ■ Complete integration with the Oracle Fusion Middleware infrastructure. This enables all enterprise users to use the various components in the Oracle Fusion Middleware suite. Use this approach if your environment uses a third-party directory as the enterprise directory and deploys an Oracle Fusion Middleware suite of applications. Because all Oracle Fusion Middleware components depend on the identity management realm, complete integration with the Oracle Fusion Middleware infrastructure requires you to make some decisions about the container for that realm. Once you have made these decisions, you can configure bootstrapping and synchronization between the directories.

16.2.2 Choose the Directory for the Central Enterprise Directory

This section explains how to choose which directory is to be the central enterprise directory. It contains these topics: ■ Oracle Internet Directory as the Central Enterprise Directory ■ Third-Party Directory as the Central Enterprise Directory

16.2.2.1 Oracle Internet Directory as the Central Enterprise Directory

If Oracle Internet Directory is the central directory, then, once the user, group, and realm objects are created, Oracle Internet Directory becomes the source of provisioning information for all Oracle components and third-party directories. The user and group objects for the entire enterprise are then provisioned in various Oracle components and third-party directories from Oracle Internet Directory. Table 16–1 describes the typical requirements in this deployment. Table 16–1 Typical Requirements with Oracle Internet Directory as the Central Enterprise Directory Requirement Description Initial startup The syncProfileBootstrap command populates the third-party directory with users and groups stored in Oracle Internet Directory.