19-24 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 20 Integrating with Oracle Directory Server Enterprise Edition Sun Java System Directory Server 20-1 20 Integrating with Oracle Directory Server Enterprise Edition Sun Java System Directory Server This chapter outlines the procedures for integrating Oracle Identity Management with Oracle Directory Server Enterprise Edition previously known as Sun Java System Directory Server, and, before that, SunONE iPlanet. It contains these topics: ■ Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition ■ Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition ■ Configuring Advanced Integration with Oracle Directory Server Enterprise Edition

20.1 Verifying Synchronization Requirements for Oracle Directory Server Enterprise Edition

Before configuring basic or advanced synchronization with Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server, ensure that your Note: This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory. It also assumes familiarity with the earlier chapters in this book, especially: ■ Chapter 1, Introduction to Oracle Identity Management Integration ■ Chapter 4, Managing the Oracle Directory Integration Platform ■ Chapter 5, Understanding the Oracle Directory Synchronization Service ■ Chapter 16, Third-Party Directory Integration Concepts and Considerations If you are configuring a demonstration of integration with Oracle Directory Server Enterprise Edition Sun Java System Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 11.1.1, available on Oracle Technology Network at http:www.oracle.comtechnology 20-2 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform environment meets the necessary synchronization requirements by following the instructions in Verifying Synchronization Requirements on page 17-1. Before synchronizing with Oracle Directory Server Enterprise Edition, you must also perform the following steps: ■ When creating a user account in Oracle Directory Server Enterprise Edition with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstone ■ Enable change logging on Oracle Directory Server Enterprise Edition ■ Enable the Retro Change Log plug-in

20.2 Configuring Basic Synchronization with Oracle Directory Server Enterprise Edition

You use the expressSyncSetup command to quickly establish synchronization between Oracle Internet Directory and Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server. The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup command to synchronize with Oracle Directory Server Enterprise Edition, refer to Creating Import and Export Synchronization Profiles Using expressSyncSetup on page 17-2.

20.3 Configuring Advanced Integration with Oracle Directory Server Enterprise Edition

When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server are: ■ iPlanetImport—The profile for importing changes from Oracle Directory Server Enterprise Edition to Oracle Internet Directory ■ iPlanetExport—The profile for exporting changes from Oracle Internet Directory to Oracle Directory Server Enterprise Edition You can also use the expressSyncSetup command or Oracle Enterprise Manager Fusion Middleware Control to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with the expressSyncSetup command are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and Oracle Directory Server Enterprise Edition. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed: ■ Step 1: Planning Your Integration ■ Step 2: Configuring the Realm ■ Step 3: Customizing the ACLs ■ Step 4: Customizing Attribute Mappings ■ Step 5: Customizing the Oracle Directory Server Enterprise Edition Sun Java System Directory Server Connector to Synchronize Deletions ■ Step 6: Synchronizing Passwords Integrating with Oracle Directory Server Enterprise Edition Sun Java System Directory Server 20-3 ■ Step 7: Synchronizing in SSL Mode ■ Step 8: Configuring the Oracle Directory Server Enterprise Edition Sun Java System Directory Server External Authentication Plug-in ■ Step 9: Performing Post-Configuration and Administrative Tasks

20.3.1 Step 1: Planning Your Integration

Plan your integration by reading Chapter 16, Third-Party Directory Integration Concepts and Considerations , particularly Oracle Directory Server Enterprise Edition Sun Java System Directory Server Integration Concepts on page 16-28. Be sure to create a new profile by copying the existing Oracle Directory Server Enterprise Edition or Sun Java System Directory Server template profile by following the instructions in Creating Synchronization Profiles on page 7-1.

20.3.2 Step 2: Configuring the Realm

Configure the realm by following the instructions in Configuring the Realm on page 17-7.

20.3.3 Step 3: Customizing the ACLs

Customize ACLs as described in Customizing Access Control Lists on page 17-8.

20.3.4 Step 4: Customizing Attribute Mappings

When integrating with Oracle Directory Server Enterprise Edition, the following attribute-level mapping is mandatory for all objects: Targetdn:1: :person:orclsourceobjectdn: : orclSUNOneobject: Example 20–1 Attribute-Level Mapping for the User Object in Oracle Directory Server Enterprise Edition Sun Java System Directory Server Cn:1: :person: cn: :person: sn:1: :person: sn: :person: Example 20–2 Attribute-Level Mapping for the Group Object in Oracle Directory Server Enterprise Edition Sun Java System Directory Server Cn:1: :groupofname: cn:groupofuniquenames In the preceding examples, Cn and sn from Oracle Directory Server Enterprise Edition are mapped to cn and sn in Oracle Internet Directory. Customize the attribute mappings by following the instructions in Customizing Mapping Rules on page 17-9. 20.3.5 Step 5: Customizing the Oracle Directory Server Enterprise Edition Sun Java System Directory Server Connector to Synchronize Deletions If you want to synchronize deletions, and the mapping rules have mandatory attributes, then be sure that the tombstone is configured correctly. To verify that the tombstone is configured in Oracle Directory Server Enterprise Edition, execute the following command: ORACLE_HOMEbinldapsearch -h connected_directory_host \ -p connected_directory_port -D connected_directory_account -q \ 20-4 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform -b source_domain -s sub objectclass=nstombstone This returns information on all deleted entries.

20.3.6 Step 6: Synchronizing Passwords

Oracle Internet Directory and Oracle Directory Server Enterprise Edition support the same set of password hashing techniques. To synchronize passwords between Oracle Internet Directory and Oracle Directory Server Enterprise Edition, ensure that SSL server authentication mode is configured for both directories and that the following mapping rule exists in the mapping file: Userpassword: : :person:userpassword: :person

20.3.7 Step 7: Synchronizing in SSL Mode

Configure Oracle Directory Server Enterprise Edition for synchronization in SSL mode by following the instructions in Configuring the Third-Party Directory Connector for Synchronization in SSL Mode on page 17-11. 20.3.8 Step 8: Configuring the Oracle Directory Server Enterprise Edition Sun Java System Directory Server External Authentication Plug-in Configure the Oracle Directory Server Enterprise Edition Sun Java System Directory Server external authentication plug-in by following the instructions in on page 17-14 Configuring External Authentication Plug-ins .

20.3.9 Step 9: Performing Post-Configuration and Administrative Tasks

Read Chapter 23, Managing Integration with a Third-Party Directory for information on post-configuration and ongoing administration tasks. Note: You will be prompted for the password. See Also: Oracle Directory Server Enterprise Edition or Sun Java System Directory Server documentation for details about configuring tombstones Note: Tombstones are automatically configured for Oracle Directory Server Enterprise Edition if replication is enabled. 21 Integrating with IBM Tivoli Directory Server 21-1 21 Integrating with IBM Tivoli Directory Server This chapter outlines the procedures for integrating Oracle Identity Management with IBM Tivoli Directory Server. It contains these topics: ■ Verifying Synchronization Requirements for IBM Tivoli Directory Server ■ Configuring Basic Synchronization with IBM Tivoli Directory Server ■ Configuring Advanced Integration with IBM Tivoli Directory Server

21.1 Verifying Synchronization Requirements for IBM Tivoli Directory Server

Before configuring basic or advanced synchronization with IBM Tivoli Directory Server, ensure that your environment meets the necessary synchronization requirements by following the instructions in Verifying Synchronization Requirements on page 17-1. Before synchronizing with IBM Tivoli Directory Server, you must also perform the following steps: ■ When creating a user account in IBM Tivoli Directory Server with sufficient privileges to perform import and export operations, be sure to assign sufficient permissions to read the tombstone ■ Enable change logging on IBM Tivoli Directory Server Note: This chapter assumes familiarity with the chapter on Oracle Internet Directory concepts and architecture in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory. It also assumes familiarity with the earlier chapters in this book, especially: ■ Chapter 1, Introduction to Oracle Identity Management Integration ■ Chapter 4, Managing the Oracle Directory Integration Platform ■ Chapter 5, Understanding the Oracle Directory Synchronization Service ■ Chapter 16, Third-Party Directory Integration Concepts and Considerations If you are configuring a demonstration of integration with IBM Tivoli Directory Server, then see the Oracle By Example series for Oracle Identity Management Release 11g Release 1 11.1.1, available on Oracle Technology Network at http:www.oracle.comtechnology 21-2 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform

21.2 Configuring Basic Synchronization with IBM Tivoli Directory Server

You use the expressSyncSetup command to quickly establish synchronization between Oracle Internet Directory and IBM Tivoli Directory Server. The expressSyncSetup command uses default settings to automatically perform all required configurations, and also creates two synchronization profiles, one for import and one for export. To use the expressSyncSetup command to synchronize with IBM Tivoli Directory Server, refer to Creating Import and Export Synchronization Profiles Using expressSyncSetup on page 17-2.

21.3 Configuring Advanced Integration with IBM Tivoli Directory Server

When you install Oracle Directory Integration Platform, sample import and export synchronization profiles are automatically created for each of the supported third-party directories. The sample synchronization profiles created for IBM Tivoli Directory Server are: ■ TivoliImport—The profile for importing changes from IBM Tivoli Directory Server to Oracle Internet Directory ■ TivoliExport—The profile for exporting changes from Oracle Internet Directory to IBM Tivoli Directory Server You can also use the expressSyncSetup command to create additional synchronization profiles. The import and export synchronization profiles created during the install process or with expressSyncSetup are only intended as a starting point for you to use when deploying your integration of Oracle Internet Directory and a IBM Tivoli Directory Server. Because the default synchronization profiles are created using predefined assumptions, you must further customize them for your environment by performing the following steps in the order listed: ■ Step 1: Planning Your Integration ■ Step 2: Configuring the Realm ■ Step 3: Customizing the ACLs ■ Step 4: Customizing Attribute Mappings ■ Step 5: Customizing the IBM Tivoli Directory Server Connector to Synchronize Deletions ■ Step 6: Synchronizing Passwords ■ Step 7: Synchronizing in SSL Mode ■ Step 8: Configuring the IBM Tivoli Directory Server External Authentication Plug-in ■ Step 9: Performing Post-Configuration and Administrative Tasks

21.3.1 Step 1: Planning Your Integration

Plan your integration by reading Chapter 16, Third-Party Directory Integration Concepts and Considerations , particularly IBM Tivoli Directory Server Integration Concepts on page 16-28. Be sure to create a new profile by copying the existing IBM Tivoli Directory Server template profile by following the instructions in Creating Synchronization Profiles on page 7-1.