Third-Party Directory Integration Concepts and Considerations 16-19 the user search context attribute by using the Oracle Internet Directory Self-Service Console.

16.2.8 Select the Group Search Base

The group search context is represented by a multivalued attribute that lists all the containers under which groups exist. Depending on your deployment, either set the group search context value to cover all group entries, or add the container to the group search context attribute by using the Oracle Internet Directory Self-Service Console.

16.2.9 Decide How to Address Security Concerns

There are three main security concerns you need to consider: ■ Access policies—The user and group search bases should be appropriately protected from access by any malicious users. ■ Synchronization—You can configure the Oracle Directory Integration Platform to use SSL when connecting to Oracle Internet Directory and third-party directories. If you do this, then all information exchanged among the directory servers is secure. ■ Password synchronization—Depending on the configuration, passwords can be synchronized. For example, when Oracle Internet Directory is the central enterprise directory, password changes can be communicated to the connected directory. If passwords are to be synchronized, then Oracle recommends that you configure communication between the directories in SSL server authentication mode.

16.2.10 Administering Your Deployment with Oracle Access Manager

To use Oracle Access Manager to administer an Oracle Internet Directory deployment that synchronizes with a third-party directory, you must ensure that synchronized users are visible with Oracle Access Manager.

16.3 Microsoft Active Directory Integration Concepts

This section contains additional considerations for integrating Oracle Internet Directory with Microsoft Active Directory. It contains these topics: ■ Synchronizing from Microsoft Active Directory to Oracle Internet Directory ■ Requirement for Using WebDAV Protocol ■ Windows Native Authentication ■ Oracle Internet Directory Schema Elements for Microsoft Active Directory See Also: Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management for instructions about setting the user search context See Also: Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management for instructions about setting the group search context See Also: Oracle Access Manager Identity and Common Administration Guide for information about how to administer users in Oracle Access Manager 16-20 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ Integration with Multiple Microsoft Active Directory Domain Controllers ■ Synchronizing with a Multiple-Domain Microsoft Active Directory Environment ■ Foreign Security Principals

16.3.1 Synchronizing from Microsoft Active Directory to Oracle Internet Directory

To synchronize changes from Microsoft Active Directory to Oracle Internet Directory, Oracle Directory Integration Platform imports incremental changes made available by Microsoft Active Directory change tracking mechanisms. Oracle Directory Integration Platform supports the following two Microsoft Active Directory change tracking mechanisms: ■ The DirSync approach, which uses an LDAP control that is supported by Microsoft Active Directory ■ The USN-Changed approach, which uses an attribute of the entry In each approach, the directory from which changes are derived is queried at scheduled intervals by Microsoft Active Directory Connector. Each approach has advantages and disadvantages. Table 16–3 compares the two approaches. See Also: Chapter 18, Integrating with Microsoft Active Directory Table 16–3 Comparing the DirSync Approach to the USN-Changed Approach Considerations DirSync Approach USN-Changed Approach Change key Presents changes to the ObjectGUID, the unique identifier of the entry Presents changes to the distinguished name. The ObjectGUID is used to keep track of modifications of the DN. Error handling If synchronization stops as a result of an error condition, then, during the next cycle, all changes that are already applied are read and skipped. Does not require synchronization to be atomic. If synchronization stops, then the next synchronization cycle starts from the entry where the synchronization was interrupted. Information in the search results Changes consist of only the changed attributes and the new values. This can be quicker than the USN-Changed approach. All attributes of the changed entry are retrieved. The retrieved values are compared to the old values stored in Oracle Internet Directory and updated. This can be more time consuming than the DirSync approach. Changes to multivalued attributes Reflects incremental changes made to multivalued attributes as a complete replacement of the attribute value. Reflects incremental changes made to multivalued attributes as a complete replacement of the attribute value. How synchronization point is tracked When queried for changes in the directory, presents incremental changes based on a cookie value that identifies the state of the directory. The changes are queried in the directory based on the USNChanged attribute, which is a long integer, that is, 8 bytes. You can modify the value to adjust where to start the synchronization.