17-8 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform components still may be unable to access users and groups in Oracle Internet Directory. To illustrate how you might configure the user search base and group search base: In the example in Figure 16–2 on page 16-7, the value of usersearchbase should be set to cn=users,dc=us,dc=MyCompany,dc=com or one of its parents. Similarly, assuming there is a subtree named groups in the DIT, the multivalued groupsearchbase attribute should be set to both of the following: ■ cn=groups,dc=us,dc=MyCompany,dc=com or one of its parents ■ cn=users,dc=us,dc=MyCompany,dc=com To configure the user search base and group search base, use the Oracle Internet Directory Self-Service Console. 4. Set up the usercreatebase and groupcreatebase values in Oracle Internet Directory. These values indicate to the various Oracle components where users and groups can be created. They are set to default values during installation. To illustrate how to configure the user create base and group create base: In the example in Figure 16–2 on page 16-7, the value of usercreatebase should be set to cn=users,dc=us,dc=MyCompany,dc=com or one of its parents. Similarly, the groupcreatebase should be set to cn=groups,dc=us, dc=MyCompany,dc=com or one of its parents. To configure the user create base and group create base, use the Oracle Internet Directory Self-Service Console.

17.3.2 Customizing Access Control Lists

This section discusses how to customize ACLs for import profiles, export profiles, and for other Oracle components. It contains these topics: ■ Customizing ACLs for Import Profiles ■ Customizing ACLs for Export Profiles ■ ACLs for Other Oracle Components

17.3.2.1 Customizing ACLs for Import Profiles

The import profile is the identity used by the Oracle Directory Integration Platform to access Oracle Internet Directory. ACLs must enable the import profile to add, modify, and delete objects in either the users and groups containers or the subtree where entries are accessed. By default, import profiles are part of the Realm Administrators group cn=RealmAdministrators, cn=groups,cn=OracleContext,realm_ DN in the default realm. This group has privileges to perform all operations on any entry under the DN of the default realm. You should not need to customize the ACLs for import synchronization with the default realm that is installed with Oracle Internet Directory Release 11g Release 1 11.1.1. If you are upgrading from an earlier version of Oracle Internet Directory, or if the synchronization is with a nondefault Oracle Internet Directory realm, then be sure that the necessary privileges in the proper subtree or containers are granted to the import profiles handling the synchronization. See Also: The section about modifying configuration settings for an identity management realm in Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management Configuring Synchronization with a Third-Party Directory 17-9 For an ACL template in LDIF format, see the file ORACLE_ HOMEldapschemaoidoidRealmAdminACL.sbs. If you have not changed the ACLs on the default realm, then this template file can be applied directly after instantiating the substitution variables, replacing s_SubscriberDN with the default realm DN in Oracle Internet Directory and replacing s_OracleContextDN with cn=OracleContext,default_realm_DN respectively. For example, if realmacl.ldif is the instantiated file, then you can upload it by using the following ldapmodify command. After executing the command, you will be prompted for the password for privileged directory user. ORACLE_HOMEbinldapmodify -h OID host -p OID port -D binddn -q -v -f realmacl.ldif

17.3.2.2 Customizing ACLs for Export Profiles

To enable the Oracle Directory Integration Platform to access a third-party directory, you must create an identity in third-party directory. This identity is configured in each export profile.

17.3.2.3 ACLs for Other Oracle Components

Default ACLs enable you to create, modify, and delete users and groups, but only in the users and groups containers under the default realm. To synchronize objects in other containers, you must customize the ACLs. There are sample ACL files that you can use to customize ACLs for Oracle Components. These sample files are installed in the ORACLE_ HOMEldapschemaoid directory. They are: ■ oidUserAdminACL.sbs—Grants necessary rights to the subtree for Oracle components to manage and access users ■ oidGroupAdminACL.sbs—Grants necessary rights to the subtree for Oracle components to manage and access groups ■ oidUserAndGroupAdminACL.sbs—Grants the privileges for Oracle components to manage and access users and groups in the subtree. You can customize your ACL policy to grant privileges on a container-by-container basis with the required rights.

17.3.3 Customizing Mapping Rules

Mapping rules, an important part of the synchronization profile, determine the directory information to be synchronized and how it is to be transformed when synchronized. You can change mapping rules at run time to meet your requirements. Each sample synchronization profile includes default mapping rules. These rules contain a minimal set of default user and group attributes configured for out-of-the-box synchronization. See Also: The chapter about access controls in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory See Also: The chapter about access controls in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for instructions on customizing ACLs 17-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform Mapping rules govern the way data is transformed when a source directory and a destination directory are synchronized. Customize the default mapping rules found in the sample profiles when you need to do the following: ■ Change distinguished name mappings. The distinguished name mappings establish how the third-party directory DIT maps to the Oracle Internet Directory DIT. ■ Change the attributes that need to be synchronized. ■ Change the transformations mapping rules that occur during the synchronization. You can perform any mapping if the resulting data in the destination directory conforms to the schema in that directory. Once you have established a working synchronization between Oracle Internet Directory and a third-party directory, you can customize the attribute mapping rules for your synchronization profiles to meet the needs of your deployment. To customize the attribute mapping rules for your synchronization profiles: 1. Make a duplicate of the sample mapping rules file. The sample mapping rules files are stored in the ORACLE_HOMEldapodiconf directory with the extension of map.master for the various profiles. 2. Edit the sample mapping rules file to make the previously discussed modifications. You can find instructions for editing mapping rules in Configuring Mapping Rules on page 6-3. 3. After the changes are made, use the update operation of the manageSyncProfiles command to update the profile. For example, the following command updates a profile name myImportProfile with a properties file named myPropertiesFile: manageSyncProfiles update -profile profile_name -file myPropertiesFile

4. Wait until the scheduling interval has elapsed, and then check the synchronized

users and groups to ensure that the attribute mapping rules meet your requirements. Note: When a synchronization is underway, it relies on the mapping rules configured prior to any changes in the directory. To ensure consistent mapping, you may need to remove an already synchronized entry or perform a full synchronization. See Also: ■ The section Configuring Mapping Rules on page 6-3 for a full discussion of mapping rules ■ The section Supported Attribute Mapping Rules and Examples on page 6-10 for examples of how attribute values are transformed when synchronized from one directory to another ■ The file ORACLE_HOMEldapodiconfactiveimp.map.master for an example of import mapping rules See Also: The manageSyncProfiles section in the Oracle Directory Integration Platform tools chapter of the Oracle Identity Management User Reference