16-18 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform This is a feasible solution as long as the naming attribute or RDN attribute remains the same on both the directories. However, if the naming attribute is different on different directories—as, for example, ou=people,o=iplanet.org:cn=users,dc=iplanet,dc=com:cn=,cn=users ,dc=iplanet,dc=com—then deriving the actual DNs for group memberships is not achievable through the given set of mapping rules. In this case, DN mapping for the uniquemember or other DN type attributes is not currently feasible. If you want to synchronize group memberships, remember to keep the naming attribute in the source and destination directories the same.

16.2.6 Select the Attribute for the Login Name

The attribute for the login name contains the identity of the end user when logging into any Oracle component. It is stored in Oracle Internet Directory as the value of the attribute orclcommonnicknameattribute, under the container cn=common,cn=products,cn=oracleContext,identity_management_ realm . By default, orclcommonnicknameattribute attribute has uid as its value. This means that the identity used to log in is stored in the uid attribute of the user entry. If the connected directory has a specific attribute for logging in, then that attribute needs to be mapped to the right orclcommonnicknameattribute in Oracle Internet Directory. This needs to be one of the mapping rules in the mapping file for the connector associated with synchronizing with the third-party directory. For example, suppose that you are synchronizing Oracle Internet Directory with Microsoft Active Directory, and that, in the latter, the login identifier is contained in the userPrincipalName attribute of the user entry. You would synchronize the value of the userPrincipalName attribute to Oracle Internet Directory, storing it in the uid attribute, which is the value of the orclcommonnicknameattribute attribute. This mapping needs to be reflected in the mapping rules in the directory integration profile. You can also use any other attribute for the login identifier. For example, if you want to use employeeID for logins, then mapping rules can be set accordingly. Doing this does not affect your configuration.

16.2.7 Select the User Search Base

The user search context is represented by a multivalued attribute that lists all the containers under which users exist. Depending on your deployment, either set the user search context value to cover the entire user population, or add the container to See Also: Configuring Mapping Rules on page 6-3 for instructions about how to specify a mapping rule Note: The orclcommonnicknameattribute attribute is used extensively by Oracle Application Server Single Sign-On, so be sure to plan carefully how you intend to map the attribute to a third-party directory attribute. After you modify this attribute, you must refresh Oracle Application Server Single Sign-On for the change to take effect. See Also: Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management for instructions about setting the attribute for login name Third-Party Directory Integration Concepts and Considerations 16-19 the user search context attribute by using the Oracle Internet Directory Self-Service Console.

16.2.8 Select the Group Search Base

The group search context is represented by a multivalued attribute that lists all the containers under which groups exist. Depending on your deployment, either set the group search context value to cover all group entries, or add the container to the group search context attribute by using the Oracle Internet Directory Self-Service Console.

16.2.9 Decide How to Address Security Concerns

There are three main security concerns you need to consider: ■ Access policies—The user and group search bases should be appropriately protected from access by any malicious users. ■ Synchronization—You can configure the Oracle Directory Integration Platform to use SSL when connecting to Oracle Internet Directory and third-party directories. If you do this, then all information exchanged among the directory servers is secure. ■ Password synchronization—Depending on the configuration, passwords can be synchronized. For example, when Oracle Internet Directory is the central enterprise directory, password changes can be communicated to the connected directory. If passwords are to be synchronized, then Oracle recommends that you configure communication between the directories in SSL server authentication mode.

16.2.10 Administering Your Deployment with Oracle Access Manager

To use Oracle Access Manager to administer an Oracle Internet Directory deployment that synchronizes with a third-party directory, you must ensure that synchronized users are visible with Oracle Access Manager.

16.3 Microsoft Active Directory Integration Concepts

This section contains additional considerations for integrating Oracle Internet Directory with Microsoft Active Directory. It contains these topics: ■ Synchronizing from Microsoft Active Directory to Oracle Internet Directory ■ Requirement for Using WebDAV Protocol ■ Windows Native Authentication ■ Oracle Internet Directory Schema Elements for Microsoft Active Directory See Also: Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management for instructions about setting the user search context See Also: Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management for instructions about setting the group search context See Also: Oracle Access Manager Identity and Common Administration Guide for information about how to administer users in Oracle Access Manager