16-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform New users or groups in Oracle Internet Directory can be automatically provisioned by the Oracle Directory Integration Platform. This automatic provisioning requires that: ■ The Oracle directory server is running with the change log enabled ■ The change log is not purged If these two conditions are not met, then you must dump the entries in Oracle Internet Directory to an LDIF file and upload the data to the third-party directory. Figure 16–3 shows a typical deployment in which Oracle Internet Directory is the central enterprise directory. Synchronization User and group information is managed in Oracle Internet Directory. Changes to that information are synchronized with the third-party directory by Oracle Directory Integration Platform when an export profile has been configured. Synchronization from the third-party directory into Oracle Internet Directory can be achieved by configuring an import profile. Passwords and password verifiers Passwords are managed in Oracle Internet Directory by using Oracle tools such as the Oracle Internet Directory Self-Service Console. Password changes are synchronized with the third-party directory by the Oracle Directory Integration Platform. However, before this server can synchronize the password changes, the password synchronization must be configured in the mapping rules. Because the password is securely managed, the communication for synchronizing passwords to the third-party directory must be over SSL. Run the Oracle Directory Integration Platform in the server authentication mode with the proper certificate from the third-party directory. Be sure that the third-party directory is also enabled for SSL. If the Oracle environment requires a password verifier, then the password verifier is automatically generated when a new user entry is created or when a password is modified. Oracle Application Server Single Sign-On Users log in to the Oracle environment by using the OracleAS Single Sign-On Server. When called upon by the OracleAS Single Sign-On Server to authenticate a user, the Oracle directory server uses credentials available locally. No external authentication is involved. Users must log in only once to access various components in the Oracle environment. See Also: The chapter on garbage collection in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for information about purging the change log Table 16–1 Cont. Typical Requirements with Oracle Internet Directory as the Central Enterprise Directory Requirement Description Third-Party Directory Integration Concepts and Considerations 16-11 Figure 16–3 Interaction Among Components with Oracle Internet Directory as the Central Enterprise Directory As Figure 16–3 on page 16-11 shows, when Oracle Internet Directory is the central enterprise directory, typical provisioning of a user or group follows this process:

1. The user or group entry is created in Oracle Internet Directory by using the Oracle

Internet Directory Self-Service Console or command-line tools.

2. At the next scheduled interval, that entry creation event is read by the third-party

directory connector in Oracle Directory Integration Platform.

3. Following the mapping information in the integration profile, the user or group

attributes in Oracle Internet Directory are appropriately mapped to the corresponding user or group attributes as required by the schema in the third-party directory.

4. The user and group entry is created in the third-party directory.

A user entry is modified in Oracle Internet Directory, when: ■ A new attribute gets added to the entry. ■ The value of an existing attribute is modified. ■ An existing attribute is deleted. When Oracle Internet Directory is the central enterprise directory, the sequence of events during modification of a user or group entry is as follows:

1. The entry is modified by using the Oracle Internet Directory Self-Service Console

or Oracle Enterprise Manager Fusion Middleware Control.

2. At the next scheduled interval, that entry modification event is read by the

third-party directory connector in Oracle Directory Integration Platform.

3. Following the mapping information in the integration profile, the attribute in

Oracle Internet Directory is appropriately mapped to the corresponding attribute in the connected directory.

4. The user entry is modified in the third-party directory.

16.2.2.2 Third-Party Directory as the Central Enterprise Directory

If a third-party directory is the central enterprise directory, then, once the user, group, and realm objects are created, the third-party directory becomes the source of provisioning information for all Oracle components and other directories. In this case, Oracle Internet Directory is deployed to support Oracle components. To provide this Oracle Internet Directory Third-Party Connected Directory Oracle Directory Integration Platform Third-Party Directory Connector 2 1 User Administration Sync 3 4 Sync