16-32 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 16.7 Limitations of Third-Party Integration in Oracle Directory Integration Platform 11g Release 1 11.1.1 Oracle Directory Integration Platform 11g Release 1 11.1.1 does not support the synchronization of the schema and ACLs. You can use the schemasync tool to identify differences in schema, specifically attributes and object classes, between Oracle Internet Directory and connected directories. After identifying the differences, you can use the schemasync tool to synchronize the schema. orclsourceCreateTimestamp Required. Represents the createtimestamp attribute of the respective entry in OpenLDAP. This value is used in synchronization of deleted entries. orclopenldapobject Represents the OpenLDAP object. See Also: Oracle Fusion Middleware User Reference for Oracle Identity Management for detailed information about the Oracle Internet Directory schema elements for OpenLDAP See Also: The Oracle Fusion Middleware User Reference for Oracle Identity Management for more information about the schemasync tool. Table 16–7 Cont. Oracle Internet Directory Schema Elements for OpenLDAP Schema Element Description 17 Configuring Synchronization with a Third-Party Directory 17-1 17 Configuring Synchronization with a Third-Party Directory This chapter contains generic instructions for synchronizing Oracle Internet Directory with a third-party directory. It contains these topics: ■ Verifying Synchronization Requirements ■ Creating Import and Export Synchronization Profiles Using expressSyncSetup ■ Configuring Advanced Integration Options ■ Writing Custom Synchronization Connectors

17.1 Verifying Synchronization Requirements

To prepare for synchronization between Oracle Internet Directory and a third-party directory: 1. Verify that Oracle Internet Directory and your third-party directory are running. 2. Create a user account in the third-party directory with sufficient privileges to read and write the relevant entries in the containers that will be synchronized. If the directory supports tombstone, the account should also have sufficient privileges to read tombstone entries. ■ For Import Operations from a Third-Party Directory : Grant the user account read access privileges to the subtree root. The user account must be able to read all objects under the source container subtree root in the third-party directory that are to be synchronized with the Oracle Directory Integration Platform. To verify whether a third-party directory user account has the Note: This chapter assumes that you are familiar with Chapter 16, Third-Party Directory Integration Concepts and Considerations . See Also: The following chapters for step-by-step instructions about configuring integration between Oracle Internet Directory and a specific third-party directory: ■ Chapter 18, Integrating with Microsoft Active Directory ■ Chapter 20, Integrating with Oracle Directory Server Enterprise Edition Sun Java System Directory Server ■ Chapter 21, Integrating with IBM Tivoli Directory Server ■ Chapter 22, Integrating with Novell eDirectory or OpenLDAP 17-2 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform necessary privileges to all objects to be synchronized with Oracle Internet Directory, use the command-line ldapsearch utility to perform a subtree search, as follows: ORACLE_HOMEbinldapsearch -h directory host-p directory port \ -b DN of subtree -s sub -D binddn objectclass= -q The return results from the ldapsearch utility should include all objects of interest, including all attributes and values that will be synchronized. ■ For Export Operations to a Third-Party Directory : Grant the user account the following privileges to the subtree root that is the parent of all the containers to which the Oracle Directory Integration Platform will export users: – Write – Create all child objects – Delete all child objects You must also ensure that Oracle Internet Directory is running with change logging enabled, and that the change log purge duration is set to a minimum of seven days.

17.2 Creating Import and Export Synchronization Profiles Using expressSyncSetup

The expressSyncSetup command located in the ORACLE_HOMEbin directory allows you to perform the initial migration of data between a connected directory and Oracle Internet Directory for a synchronization profile. Note: You will be prompted for the password for the privileged directory user. See Also: Your third-party directory documentation for information how to grant privileges to user accounts See Also: ■ The Oracle Internet Directory server administration tools chapter of the Oracle Identity Management User Reference for instructions on how to start an Oracle directory server with change logging enabled ■ The orclPurgeTargetAge section of the Oracle Identity Management User Reference for instructions on how to set the change log purge duration