16-28 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform trust relationship with A. In this scenario, both B and C also trust each other. This is because, although they are not in a direct trust relationship with each other, they are in a direct trust relationship with A. ■ In a non transitive trust relationship, the trust is bound by the two domains in the trust relationship; it does not flow to any other domains in the forest. When a trust is established between a Windows 2000 domain in a particular forest and a Windows 2000 domain outside of that forest, security principals from the external domain can be granted access to resources in the forest. A security principal from an external domain is called a foreign security principal and is represented in Microsoft Active Directory as a foreign security principal object. These foreign security principals can become members of domain local groups, which can have members from domains outside of the forest. Foreign security principals are used when there is a non transitive trust between two domains in a Microsoft Active Directory environment. In a non transitive trust relationship in a Microsoft Active Directory environment, when one domain recognizes a foreign security principal from the other domain, it represents that entity similar to a DN entry. In that entry, the RDN component is set to the SID of the original entry in the trusted domain. In the case of groups, the DNs of the foreign security principals are represented as member values, not as the DNs of the original entries in the trusted domain. This can create a problem when foreign security principals are synchronized with Oracle Internet Directory. 16.4 Oracle Directory Server Enterprise Edition Sun Java System Directory Server Integration Concepts This section contains additional considerations for integrating Oracle Internet Directory with Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server. It contains these topics: ■ Synchronizing from Oracle Directory Server Enterprise Edition Sun Java System Directory Server to Oracle Directory Integration Platform ■ Oracle Internet Directory Schema Elements for Oracle Directory Server Enterprise Edition Sun Java System Directory Server 16.4.1 Synchronizing from Oracle Directory Server Enterprise Edition Sun Java System Directory Server to Oracle Directory Integration Platform Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server maintains a change log in which it stores incremental changes made to directory objects. Synchronization from Oracle Directory Server Enterprise Edition to Oracle Internet Directory makes use of this change log. See Also: Chapter 20, Integrating with Oracle Directory Server Enterprise Edition Sun Java System Directory Server Third-Party Directory Integration Concepts and Considerations 16-29 16.4.2 Oracle Internet Directory Schema Elements for Oracle Directory Server Enterprise Edition Sun Java System Directory Server Oracle Internet Directory includes the orclSourceObjectDN attribute for users that are imported from Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server. The orclSourceObjectDN element represents the DN for the respective entry in Oracle Directory Server Enterprise Edition. This value is required to perform external authentication if different domains are mapped between both directories.

16.5 IBM Tivoli Directory Server Integration Concepts

This section contains additional considerations for integrating Oracle Internet Directory with IBM Tivoli Directory Server. It contains these topics: ■ Changes to Directory Objects in IBM Tivoli Directory Server ■ Oracle Internet Directory Schema Elements for IBM Tivoli Directory Server

16.5.1 Changes to Directory Objects in IBM Tivoli Directory Server

IBM Tivoli Directory Server maintains a change log where it stores incremental changes made to directory objects. Synchronization from IBM Tivoli Directory Server to Oracle Internet Directory makes use of this change log.

16.5.2 Oracle Internet Directory Schema Elements for IBM Tivoli Directory Server

Table 16–5 lists the schema elements in Oracle Internet Directory for users that are imported from IBM Tivoli Directory Server: See Also: ■ Synchronizing from Oracle Internet Directory to a Connected Directory on page 5-3. ■ The Oracle Internet Directory server administration tools chapter of the Oracle Identity Management User Reference for instructions on how to start an Oracle Internet Directory server with change logging enabled. ■ Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server documentation for instructions on how to configure change logging. If you plan to synchronize with either Sun Java System Directory Server versions 5.0 or later, or Oracle Directory Server Enterprise Edition, the retro change log plug-in must be enabled. Note: Tombstone is supported in IBM Tivoli Directory Server version 6.2. Table 16–5 Oracle Internet Directory Schema Elements for IBM Tivoli Directory Server Schema Element Description orclSourceObjectDN Represents the DN for the respective entry in Tivoli. This value is required to perform external authentication if different domains are mapped between both directories.