16-26 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory ■ Configuration Required for Importing from Microsoft Active Directory Lightweight Directory Service to Oracle Internet Directory ■ Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory ■ Example: Integration with Multiple Third-Party Directory Domains 16.3.6.1 Configuration Required for Importing from Microsoft Active Directory to Oracle Internet Directory Normally, importing requires configuring one import profile for each Microsoft Active Directory domain regardless of whether you are using the DirSync approach or the USN-Changed approach. However, if you are using the USN-Changed approach, you can use the Global Catalog to import from an entire Microsoft Active Directory forest. You only need to configure a single import profile to use Global Catalog, but keep in mind the following considerations: ■ Because Global Catalog is read-only, you can use it only for importing data into Oracle Internet Directory ■ Global Catalog does not contain all the attributes, although the available attributes can be configured in Microsoft Active Directory ■ Because Global Catalog is a point of authentication, you may incur additional overhead if synchronization is started from this point 16.3.6.2 Configuration Required for Importing from Microsoft Active Directory Lightweight Directory Service to Oracle Internet Directory Unlike Microsoft Active Directory, only the USN changed approach is used for synchronizing from Microsoft Active Directory Lightweight Directory Service AD LDS, which was previously known as Active Directory Application Mode or ADAM, to Oracle Internet Directory. To import entries from Microsoft AD LDS to Oracle Internet Directory, you must configure an import profile connecting to Microsoft AD LDS with the respective port details. 16.3.6.3 Configuration Required for Exporting from Oracle Internet Directory to Microsoft Active Directory To integrate with multiple-domain Microsoft Active Directory environments, the Oracle Directory Integration Platform obtains configuration information from each Microsoft Active Directory domain. You must configure as many export profiles as there are Microsoft Active Directory domains.

16.3.6.4 Example: Integration with Multiple Third-Party Directory Domains

A deployment of a third-party directory with multiple domains can have either a single DIT or a combination of two or more DITs. Figure 16–7 shows how multiple domains in a third-party directory are mapped to a DIT in Oracle Internet Directory. See Also: The Microsoft Knowledge Base Article 256938 available from Microsoft Help and Support at http:support.microsoft.com for information about Global Catalog attributes in the Microsoft Active Directory schema Third-Party Directory Integration Concepts and Considerations 16-27 Figure 16–7 Example of a Mapping Between Oracle Internet Directory and Multiple Domains in Microsoft Active Directory In Figure 16–7 , the third-party directory environment has a parent and two children. The first child domain a.us.MyCompany.com maps to dc=a,dc=us,dc=MyCompany,dc=com in Oracle Internet Directory. The second child domain b.us.MyCompany.com maps to dc=b,dc=us,dc=MyCompany,dc=com in Oracle Internet Directory. The common domain component in the third-party directory environment us.MyCompany.com maps to the default identity management realm in Oracle Internet Directory, in this case dc=us,MyCompany,dc=com.

16.3.7 Foreign Security Principals

A Microsoft Active Directory user or computer account represents a physical entity such as a computer or person. User accounts and computer accounts, as well as groups, are called security principals. Security principals are directory objects that are automatically assigned security identifiers. Objects with security identifiers can log on to the network and access domain resources. A user or computer account is used to: ■ Authenticate the identity of the user or computer ■ Authorize or deny access to domain resources ■ Administer other security principals ■ Audit actions performed using the user or computer account For example, the user and computer accounts that are members of the Enterprise Administrators group are automatically granted permission to log on at all of the domain controllers in the forest. User and computer accounts are added, disabled, reset, and deleted by using Microsoft Active Directory Users and Computers. In a trust relationship in Microsoft Active Directory, users in one domain are authenticated by a domain controller in another domain. The trust relationship can be transitive or non transitive. ■ In a transitive trust relationship, the trust relationship extended to one domain is automatically extended to all other domains that trust that domain. For example, suppose you have three domains: A, B, and C in which both B and C are in a direct Oracle Internet Directory dc=a users dc=b dc=us dc=MyCompany dc=com [Root DSE] users dc=a users Microsoft Active Directory b.us.MyCompany.com us.MyCompany.com users a.us.MyCompany.com users