Third-Party Directory Integration Concepts and Considerations 16-27 Figure 16–7 Example of a Mapping Between Oracle Internet Directory and Multiple Domains in Microsoft Active Directory In Figure 16–7 , the third-party directory environment has a parent and two children. The first child domain a.us.MyCompany.com maps to dc=a,dc=us,dc=MyCompany,dc=com in Oracle Internet Directory. The second child domain b.us.MyCompany.com maps to dc=b,dc=us,dc=MyCompany,dc=com in Oracle Internet Directory. The common domain component in the third-party directory environment us.MyCompany.com maps to the default identity management realm in Oracle Internet Directory, in this case dc=us,MyCompany,dc=com.

16.3.7 Foreign Security Principals

A Microsoft Active Directory user or computer account represents a physical entity such as a computer or person. User accounts and computer accounts, as well as groups, are called security principals. Security principals are directory objects that are automatically assigned security identifiers. Objects with security identifiers can log on to the network and access domain resources. A user or computer account is used to: ■ Authenticate the identity of the user or computer ■ Authorize or deny access to domain resources ■ Administer other security principals ■ Audit actions performed using the user or computer account For example, the user and computer accounts that are members of the Enterprise Administrators group are automatically granted permission to log on at all of the domain controllers in the forest. User and computer accounts are added, disabled, reset, and deleted by using Microsoft Active Directory Users and Computers. In a trust relationship in Microsoft Active Directory, users in one domain are authenticated by a domain controller in another domain. The trust relationship can be transitive or non transitive. ■ In a transitive trust relationship, the trust relationship extended to one domain is automatically extended to all other domains that trust that domain. For example, suppose you have three domains: A, B, and C in which both B and C are in a direct Oracle Internet Directory dc=a users dc=b dc=us dc=MyCompany dc=com [Root DSE] users dc=a users Microsoft Active Directory b.us.MyCompany.com us.MyCompany.com users a.us.MyCompany.com users 16-28 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform trust relationship with A. In this scenario, both B and C also trust each other. This is because, although they are not in a direct trust relationship with each other, they are in a direct trust relationship with A. ■ In a non transitive trust relationship, the trust is bound by the two domains in the trust relationship; it does not flow to any other domains in the forest. When a trust is established between a Windows 2000 domain in a particular forest and a Windows 2000 domain outside of that forest, security principals from the external domain can be granted access to resources in the forest. A security principal from an external domain is called a foreign security principal and is represented in Microsoft Active Directory as a foreign security principal object. These foreign security principals can become members of domain local groups, which can have members from domains outside of the forest. Foreign security principals are used when there is a non transitive trust between two domains in a Microsoft Active Directory environment. In a non transitive trust relationship in a Microsoft Active Directory environment, when one domain recognizes a foreign security principal from the other domain, it represents that entity similar to a DN entry. In that entry, the RDN component is set to the SID of the original entry in the trusted domain. In the case of groups, the DNs of the foreign security principals are represented as member values, not as the DNs of the original entries in the trusted domain. This can create a problem when foreign security principals are synchronized with Oracle Internet Directory. 16.4 Oracle Directory Server Enterprise Edition Sun Java System Directory Server Integration Concepts This section contains additional considerations for integrating Oracle Internet Directory with Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server. It contains these topics: ■ Synchronizing from Oracle Directory Server Enterprise Edition Sun Java System Directory Server to Oracle Directory Integration Platform ■ Oracle Internet Directory Schema Elements for Oracle Directory Server Enterprise Edition Sun Java System Directory Server 16.4.1 Synchronizing from Oracle Directory Server Enterprise Edition Sun Java System Directory Server to Oracle Directory Integration Platform Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server maintains a change log in which it stores incremental changes made to directory objects. Synchronization from Oracle Directory Server Enterprise Edition to Oracle Internet Directory makes use of this change log. See Also: Chapter 20, Integrating with Oracle Directory Server Enterprise Edition Sun Java System Directory Server