17-4 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform -conDirType Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, OID, and ExchangeServer2003. -conDirUrl URL where the connected directory is running. The format is host:port. -conDirBindDN Connected directory server bind DN. For example: administratoridm2003.net cn=orcladmin, cn=Directory Manager -conDirContainer The synchronization container. For example: ou=sales,dc=us,dc=com OU=Groups,DC=imtest,DC=com CN=Users,DC=imtest,DC=com -ssl Executes the command in SSL mode. -keystorePath The full path to the keystore. -keystoreType The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12 -enableProfiles Specify true to enable created profiles, false if not. Note: You will be prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password. Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information. Configuring Synchronization with a Third-Party Directory 17-5 -help Provides command usage help.

17.2.3 Tasks and Examples for expressSyncSetup

expressSyncSetup -h myhost.mycompany.com -p 7005 -D login_ID -pf myProfile \ -conDirType ACTIVEDIRECTORY -conDirUrl server.mycompany.com:5432 \ -conDirBindDN administratoridm2003.net -conDirContainer ou=sales,dc=us,dc=com \ -enableProfiles false \ expressSyncSetup -help

17.2.4 Understanding the expressSyncSetup Command

The expressSyncSetup command allows you to create two synchronization profiles, one for import and one for export, using predefined assumptions. If the Oracle Directory Integration Platform is already running, then after enabling the profile, you can immediately begin synchronizing users and groups between the containers in which users and groups are stored in the third-party directory and cn=users,default_realm cn=groups,default_realm in Oracle Internet Directory. To simplify the configuration, the expressSyncSetup command assumes the following: ■ Entries for users of the default realm in Oracle Internet Directory are located in the container cn=users,default_realm_DN. ■ Entries for groups of the default realm in Oracle Internet Directory are located in the container cn=groups,default_realm_DN ■ The Oracle Directory Integration Platform master mapping rules files created during installation are located in ORACLE_HOMEldapodiconf. ■ Master domain mapping rules are located in the ORACLE_ HOMEldapodiconf directory. ■ The logon credential is that of a Oracle Directory Integration Platform administrator with sufficient privileges to configure a profile, a realm, and access controls on the Users container in the Oracle directory server. Members of the Oracle Directory Integration Platform Administrators group cn=dipadmingrp,cn=dipadmin,cn=directory integration platform,cn=products,cn=oraclecontext have the necessary privileges. Perform the following steps to run the expressSyncSetup command and verify that users and groups are synchronizing between cn=users,default_naming_ context in the third-party directory and cn=users,default_realm in Oracle Internet Directory: 1. Run express configuration using Syntax for expressSyncSetup on page 17-3. 2. The expressSyncSetup command creates two profiles named profile_ name Import and profile_nameExport. By default, both profiles are disabled. Enable the profile_nameImport profile if you need to synchronize from a third-party directory to Oracle Internet Directory and enable the profile_ name Export profile if you need to synchronize from Oracle Internet Directory to a third-party directory. Enable the profile by using the manageSyncProfiles command with the activate operation. 17-6 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 3. Start the Oracle Directory Integration Platform. 4. Wait until the scheduling interval has elapsed and verify that synchronization has started by entering the following command. After executing the command, you will be prompted for the password for privileged directory user. ORACLE_HOMEbinldapsearch -h OID host -p OID port \ -D binddn -q \ -b orclodipagentname=import profile,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory -s base objectclass= orclodipsynchronizationstatus orclodiplastsuccessfulexecutiontime When synchronization is successfully started: ■ The value of the Synchronization Status attribute is Synchronization Successful. ■ The value of the Last Successful Execution Time attribute is the specific date and time of that execution. Note that this must be close to the current date and time. An example of a result indicating successful synchronization is: Synchronization successful 20060515012615 5. After verifying that synchronization has started, examine the entries in Oracle Internet Directory and the third-party directory to confirm that users and groups are synchronizing between cn=users,default_naming_context in the third-party directory and cn=users,default_realm in Oracle Internet Directory. Note: The default scheduling interval is 60 seconds 1 minute. You can use Oracle Enterprise Manager Fusion Middleware Control to change the default scheduling interval. See Chapter 7, Managing Directory Synchronization Profiles for information on using Oracle Enterprise Manager Fusion Middleware Control. Note: ■ The date and time must be close to current date and time ■ When running the ldapsearch command, you need the dipadmin password, which, as established at installation, is the same as orcladmin password Note: While customizing the synchronization profiles for your environment, you may need to add test users and groups to facilitate your deployment effort. Be sure to remove any test users and groups when your are finished customizing and testing your synchronization profiles. CAUTION: In order to successfully customize your import and export synchronization profiles, do not enable SSL until you have finished with all other configuration tasks.