Integrating with IBM Tivoli Directory Server 21-3

21.3.2 Step 2: Configuring the Realm

Configure the realm by following the instructions in Configuring the Realm on page 17-7.

21.3.3 Step 3: Customizing the ACLs

Customize ACLs as described in Customizing Access Control Lists on page 17-8.

21.3.4 Step 4: Customizing Attribute Mappings

When integrating with IBM Tivoli Directory Server, the following attribute-level mapping is mandatory for all objects: targetdn: : :top:orclSourceObjectDN: :orclTDSObject: Example 21–1 Attribute-Level Mapping for the User Object in IBM Tivoli Directory Server Cn:1: :person: cn: :person: sn: : :person: sn: :person: Example 21–2 Attribute-Level Mapping for the Group Object in IBM Tivoli Directory Server Cn:1: :groupofname: cn:groupofuniquenames In the preceding examples, Cn and sn from IBM Tivoli Directory Server are mapped to cn and sn in Oracle Internet Directory. If you specify anything other than the RDN attribute as a required attribute in the mapping file, those changes will not be synchronized. This is due to a limitation in IBM Tivoli Directory Server where changes do not appear as deletions in the changelog when tombstones are enabled. Customize the attribute mappings by following the instructions in Customizing Mapping Rules on page 17-9.

21.3.5 Step 5: Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions

If you want to synchronize deletions, you must ensure tombstones are not enabled in IBM Tivoli Directory Server. To check if tombstones are enabled, execute the following command: ldapsearch -h connected_directory_host -p connected_directory_port \ -D binddn -q \ -b cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration -s base objectclass= ibm-slapdTombstoneEnabled This command returns information on all deleted entries. Note: You will be prompted for the password. 21-4 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform

21.3.6 Step 6: Synchronizing Passwords

Oracle Internet Directory and IBM Tivoli Directory Server support the same set of password hashing techniques. To synchronize passwords between Oracle Internet Directory and IBM Tivoli Directory Server, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file: Userpassword: : :person:userpassword: :person

21.3.7 Step 7: Synchronizing in SSL Mode

Configure IBM Tivoli Directory Server for synchronization in SSL mode by following the instructions in Configuring the Third-Party Directory Connector for Synchronization in SSL Mode on page 17-11.

21.3.8 Step 8: Configuring the IBM Tivoli Directory Server External Authentication Plug-in

Perform the following steps to configure an IBM Tivoli Directory Server external authentication plug-in: 1. Add the configuration entries for the external authentication plug-in for IBM Tivoli Directory Server to Oracle Internet Directory by performing the following steps: a. Copy the following entries in to an LDIF file, for example, input.ldif: dn: cn=oidexplg_compare_tivoli,cn=plugin,cn=subconfigsubentry cn: oidexplg_compare_tivoli objectclass: orclPluginConfig objectclass: top orclpluginname: oidexplg orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapcompare orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginattributelist: userpassword orclpluginentryproperties: objectclass=orclTDSobjectobjectclass=orcluserv2 orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 See Also: IBM Tivoli Directory Server documentation for details about configuring tombstones. Note: The wallet referred to in the configuration entries for the external authentication plug-in for IBM Tivoli Directory Server is ORACLE wallet. Accordingly, use Oracle wallet commands to add and remove certificates from the wallet. JKS commands are used only for the certificates that Oracle Directory Integration Platform uses. Integrating with IBM Tivoli Directory Server 21-5 orclpluginflexfield;host: host.domain.com orclpluginflexfield;walletloc2: locationwallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginclassreloadenabled: 0 orclpluginenable: 0 orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com dn: cn=oidexplg_bind_tivoli,cn=plugin,cn=subconfigsubentry cn: oidexplg_bind_tivoli objectclass: orclPluginConfigobjectclass: top orclpluginname: oidexplg orclplugintype: operational orclpluginkind: Java orclplugintiming: when orclpluginldapoperation: ldapbind orclpluginversion: 1.0.1 orclpluginisreplace: 1 orclpluginentryproperties: objectclass=orclTDSobjectobjectclass=orcluserv2 orclpluginclassreloadenabled: 0 orclpluginflexfield;walletloc2: locationwallet orclpluginflexfield;port: 389 orclpluginflexfield;walletloc: tmp orclpluginflexfield;isssl: 0 orclpluginflexfield;isfailover: 0 orclpluginflexfield;host2: host.domain.com orclpluginflexfield;port2: 636 orclpluginflexfield;isssl2: 1 orclpluginflexfield;host: host.domain.com orclpluginenable: 0 orclpluginsecuredflexfield;walletpwd: password orclpluginsecuredflexfield;walletpwd2: password orclpluginsubscriberdnlist: cn=users,dc=us,dc=oracle,dc=com b. Copy the entries in the LDIF file in to Oracle Internet Directory using a command similar to the following: ldapadd -h HOST -p PORT -D binddn -q -v -f input.ldif 2. Use the instructions in Configuring External Authentication Plug-ins on page 17-14 to configure the plug-in.

21.3.9 Step 9: Performing Post-Configuration and Administrative Tasks

Read Chapter 23, Managing Integration with a Third-Party Directory for information on post-configuration and ongoing administration tasks. Note: You will be prompted for the password. 21-6 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 22 Integrating with Novell eDirectory or OpenLDAP 22-1 22 Integrating with Novell eDirectory or OpenLDAP This chapter outlines the procedures for integrating Oracle Identity Management with Novell eDirectory or OpenLDAP in a production environment. It contains these topics: ■ Verifying Synchronization Requirements for Novell eDirectory or OpenLDAP ■ Configuring Basic Synchronization with Novell eDirectory or OpenLDAP ■ Configuring Advanced Integration with Novell eDirectory or OpenLDAP

22.1 Verifying Synchronization Requirements for Novell eDirectory or OpenLDAP

Before configuring basic or advanced synchronization with Novell eDirectory or OpenLDAP, ensure that your environment meets the necessary synchronization requirements by following the instructions in Verifying Synchronization Requirements on page 17-1. Notes: This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory. It also assumes familiarity with the earlier chapters in this book, especially: ■ Chapter 1, Introduction to Oracle Identity Management Integration ■ Chapter 4, Managing the Oracle Directory Integration Platform ■ Chapter 5, Understanding the Oracle Directory Synchronization Service ■ Chapter 16, Third-Party Directory Integration Concepts and Considerations Synchronization is supported between Oracle Fusion Middleware 11g Release 1 11.1.1 or later and Novell eDirectory 8.6.2 or later or OpenLDAP 2.2.