16-20 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ Integration with Multiple Microsoft Active Directory Domain Controllers ■ Synchronizing with a Multiple-Domain Microsoft Active Directory Environment ■ Foreign Security Principals

16.3.1 Synchronizing from Microsoft Active Directory to Oracle Internet Directory

To synchronize changes from Microsoft Active Directory to Oracle Internet Directory, Oracle Directory Integration Platform imports incremental changes made available by Microsoft Active Directory change tracking mechanisms. Oracle Directory Integration Platform supports the following two Microsoft Active Directory change tracking mechanisms: ■ The DirSync approach, which uses an LDAP control that is supported by Microsoft Active Directory ■ The USN-Changed approach, which uses an attribute of the entry In each approach, the directory from which changes are derived is queried at scheduled intervals by Microsoft Active Directory Connector. Each approach has advantages and disadvantages. Table 16–3 compares the two approaches. See Also: Chapter 18, Integrating with Microsoft Active Directory Table 16–3 Comparing the DirSync Approach to the USN-Changed Approach Considerations DirSync Approach USN-Changed Approach Change key Presents changes to the ObjectGUID, the unique identifier of the entry Presents changes to the distinguished name. The ObjectGUID is used to keep track of modifications of the DN. Error handling If synchronization stops as a result of an error condition, then, during the next cycle, all changes that are already applied are read and skipped. Does not require synchronization to be atomic. If synchronization stops, then the next synchronization cycle starts from the entry where the synchronization was interrupted. Information in the search results Changes consist of only the changed attributes and the new values. This can be quicker than the USN-Changed approach. All attributes of the changed entry are retrieved. The retrieved values are compared to the old values stored in Oracle Internet Directory and updated. This can be more time consuming than the DirSync approach. Changes to multivalued attributes Reflects incremental changes made to multivalued attributes as a complete replacement of the attribute value. Reflects incremental changes made to multivalued attributes as a complete replacement of the attribute value. How synchronization point is tracked When queried for changes in the directory, presents incremental changes based on a cookie value that identifies the state of the directory. The changes are queried in the directory based on the USNChanged attribute, which is a long integer, that is, 8 bytes. You can modify the value to adjust where to start the synchronization. Third-Party Directory Integration Concepts and Considerations 16-21

16.3.2 Requirement for Using WebDAV Protocol

If you are using the WebDAV protocol, you must configure your applications for SSL. Basic authentication is necessary because the only way for Oracle Internet Directory to authenticate the end user is to pass the plain text password to Active Directory for verification. When basic authentication is not present, digest authentication is used. But with digest authentication, Oracle Internet Directory does not have the plain text password to pass to Active Directory for verification, and therefore, end users cannot Required user privileges Requires the user to have the Replicate Changes privilege on the naming context of interest. This enables reading all objects and attributes in Microsoft Active Directory regardless of the access protections on them. See Also: The Microsoft Knowledge Base Article 303972 available at http:support.microsoft.com for instructions on how to assign privileges to Microsoft Active Directory users when using the DirSync approach. Apply to this context the instructions used for Microsoft Active Directory management agent in this article. Requires the Microsoft Active Directory user to have the privilege to read all required attributes to be synchronized to Oracle Internet Directory. See Also: Microsoft networking and directory documentation available in the Microsoft library at the following URL: http:msdn.microsoft.com for instructions about how to assign privileges to Microsoft Active Directory users when using the USN-Changed approach. Support of multiple domains Requires separate connections to different domain controllers to read changes made to the entries in different domains. Can obtain changes made to the multiple domains by connecting to the Global Catalog server. See Also: Synchronizing with a Multiple-Domain Microsoft Active Directory Environment on page 16-25 Synchronization from a replicated directory when switching to a different Microsoft Active Directory domain controller Synchronization can continue. The synchronization key is the same when connecting to a replicated environment. Requires: ■ Full synchronizing to a known point ■ Updating the USNChanged value ■ Starting synchronization with the failover directory See Also: Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain on page 18-19 Synchronization scope Reads all changes in the directory, filters out changes to the required entries, and propagates to Oracle Internet Directory Enables synchronization of changes in any specific subtree Usability in an environment with multiple Microsoft Active Directory servers behind a load balancer - Either connect to a specific Microsoft Active Directory domain controller, or connect to a Global Catalog. Connect to Global Catalog if: ■ You are interested in import operations only ■ The Global Catalog contains all entries and attributes to be synchronized ■ Performance of the Global Catalog is acceptable See Also: Synchronizing from Oracle Internet Directory to a Connected Directory on page 5-3 Table 16–3 Cont. Comparing the DirSync Approach to the USN-Changed Approach Considerations DirSync Approach USN-Changed Approach