17-2 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform necessary privileges to all objects to be synchronized with Oracle Internet Directory, use the command-line ldapsearch utility to perform a subtree search, as follows: ORACLE_HOMEbinldapsearch -h directory host-p directory port \ -b DN of subtree -s sub -D binddn objectclass= -q The return results from the ldapsearch utility should include all objects of interest, including all attributes and values that will be synchronized. ■ For Export Operations to a Third-Party Directory : Grant the user account the following privileges to the subtree root that is the parent of all the containers to which the Oracle Directory Integration Platform will export users: – Write – Create all child objects – Delete all child objects You must also ensure that Oracle Internet Directory is running with change logging enabled, and that the change log purge duration is set to a minimum of seven days.

17.2 Creating Import and Export Synchronization Profiles Using expressSyncSetup

The expressSyncSetup command located in the ORACLE_HOMEbin directory allows you to perform the initial migration of data between a connected directory and Oracle Internet Directory for a synchronization profile. Note: You will be prompted for the password for the privileged directory user. See Also: Your third-party directory documentation for information how to grant privileges to user accounts See Also: ■ The Oracle Internet Directory server administration tools chapter of the Oracle Identity Management User Reference for instructions on how to start an Oracle directory server with change logging enabled ■ The orclPurgeTargetAge section of the Oracle Identity Management User Reference for instructions on how to set the change log purge duration Configuring Synchronization with a Third-Party Directory 17-3

17.2.1 Syntax for expressSyncSetup

expressSyncSetup expressSyncSetup -h HOST -p PORT -D wlsuser -pf PROFILE -conDirType CONNECTED_DIRECTORY_TYPE -conDirURL CONNECTED_DIRECTORY_URL -conDirBindDN CONNECTED_DIRECTORY_BIND_DN -conDircontainer SYNC_CONTAINER [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-enableProfiles {true | false}] [-help]

17.2.2 Arguments for expressSyncSetup

-h | -host Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed. -p | -port Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. -D | wlsusser Oracle WebLogic Server login ID -pf | -profile Profile name. Specify the name of the profile in ASCII characters only, as non-ASCII characters are not supported in the profile name. Notes: ■ Best security practice is to provide a password only in response to a prompt from the command. ■ You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands ■ The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information. Note: You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.