You are on page 1of 6

Active Directory OID 11g Synchronization Quick Start Guide [ID 1263918.

1]
Modified: Aug 20, 2012 Type: REFERENCE Status: PUBLISHED Priority: 3

In this Document Purpose Scope Details References

Applies to:
Oracle Internet Directory - Version 11.1.1.1.0 to 11.1.1.4.0 [Release 11g] Information in this document applies to any platform.

Purpose
Detailed steps to implement synchronization between Microsoft Active Directory and OID 11g.

Scope
It is assumed that you have a successfully installed OID 11g and it's running, and that there is an existing Microsoft Active Directory already running. If OID 11g has been succesfully installed with the DIP component, you should see DIP listed in Enterprise Manager under Identity and Access. This Procedure will setup the synchronization process to do the proper mapping so that users created in Active Directory will be added to the OID Realm. Typical components in such an environment would be as follows: FMW 11.1.1.3 OID 11.1.1.3 WLS 10.3.3 FORMS 11.1.1.3

Details
Step By Step Procedure To Setup Active Directory / OID Synchronization:----------------------------------------------------------------------------

1. ON THE ACTIVE DIRECTORY ========================== 1.If you are doing the import sync i.e from Active Directory to OID ,Grant the user account read access privileges to the sub tree root. The user account must be able to read all objects under the source container (sub tree root) in the Active directory that are to be synchronized with the OID.Also provide read access to DELETED Objects in AD To verify whether a third-party directory user account has the necessary privileges to all objects to be synchronized with OID, use the command-line ldapsearch utility to perform a sub tree search, as follows:

$RCEHM/i/dperh- <Dot - <Dot - <idd> - <asod - <No sbte>- sb OAL_OEbnlasac h Ahs> p Apr> D bn n; w pswr> b D f u re s u "betls=" ojccas*
Example:

$RCEHM/i/dperh- Ahs - 39- "nAmnsrtrc=sr,cma,coal,ccm OAL_OEbnlasac h Dot p 8 D c=diitao,nuesd=sdd=rced=o" w wloe - "nuesd=sdd=rced=o"- sb"betls=" ecm1 b c=sr,cma,coal,ccm s u ojccas*

Note: Microsoft Active Directory also allows an alternate syntax for credentials. For example: $ORACLE_HOME/bin/ldapsearch -h ADhost -p port -D "Administrator@msad.oracle.com" -w welcome1 -b "cn=users,dc=msad,dc=oracle,dc=com" -s sub "objectclass=*"

The return results from the ldapsearch utility should include all objects of interest, including all attributes and values that will be synchronized. If you are doing a export or bi-directional synch, you will need an account with full READ/WRITE privileges on the container which you are synchronizing. 11g DIP supported only with below Active Directory servers. 1. Active Directory 2003, 2008,2008R1 2. ADAM - Version 1 with SP1 on Win2k3 Click Here to get Supported LDAP versions with 11g OID. 2. ON THE OID NODE

================== If you are doing a one-to-one mapping of the entries in Active Directory and OID, prepare the OID DIT to match the Active Directory using the Oracle Directory Service Manager to create the necessary containers. Note: Any source and destination containers / domains that are listed under the profile's domain rules need to exist prior to bootstrap or sync since bootstrap cannot create them on the fly and can only create additional domains/container underneath the listed domain/container.

To manually create the AD OID integration profile and setup the synchronization perform the below steps. 2.1.Launch the FMW Enterprise Manager console and login with weblogic user. 2.2.Expand your domain and Navigate to Identity and Access 2.3.Select DIP 2.4.From the DIP Server drop down list select Administration , then Synchronization Profiles 2.5.Using the navigation path, create a new DIP Sync profile with a name , you can give your name.For Example take it as AD2OID is the integration profile name , in this window you'll be asked to enter the AD details. Check the Profile.gif under attachements section of this note to see the screen shot of profile creation . For the attribute Use DIP-OID as Source or Destination , you need to select the option Destination if you are using import (AD to OID) sync or select Source option if you are using Export (OID to AD) sync. Also source type you need to select Active Directory(MS) from the drop down next type. 2.6.After Providing the above mentioned details in the general tab click on Test Connection Tab, If the provided values are correct you'll see the Information dialogue saying that "Test Passed.Connection Successful" If the values provided for AD are wrong in the General tab , when you click on the Test Connection, you will get an Error dialogue saying Authentication Failure ,Make sure that you provide the correct values and get connection Successful to move Further. 2.7.Then Click on OK to Save the profile. Now select the AD2OID profile from the list of available profiles and click on Edit. Note: Do not enable the profile at this stage.

2.8.Now select the Mapping tab and configure mapping like below Configure Domain Rules Click on Create option, You'll get a Add Mapping Rule Window , in that Select the Source Container DN and OID container DN from the lookup windows provided and click on OK. Validate / re-Validate mapping until you have no errors, warnings are OK. NOTE: In the OID version 11.1.1.2.0 due to the internal Bug 9244954 the mapping validation initially fails with hard errors for the samaccountname attribute mapping. Apply the patch for Bug 9244954 and then re-validate the Mapping Rules. Check the Document 1062921.1 for detailed instructions on applying the patch for this bug. This bug is fixed in OID 11.1.1.3.0 and 11.1.1.4.0

Skip Exclusion Rules Configure Attribute Rules Hint: Use command line to validate mapping rules as it may show the problem mappings in more detail. Example: manageSyncProfiles validateProfile -h ramesh-pc.idc.oracle.com -p 7005 -D weblogic -pf AD2OID

Be sure to click OK after editing mapping rules to save the changes so that it is in sync for command line validation. 2.9.Bootstrap the users using the command line tool .

snPoieotta -otrms-cicoal.o -ot70 - wboi -rfl A2I -p5 ycrflBosrp hs aehp.d.rcecm pr 05 D elgc poie DOD l

Refer to Document 889262.1 for help with command line tools. 2.10.Verify that all the AD users were pulled into OID according to mapping rules . 2.11.Enable the profile using either FMW EM Console or via the command line tool. 2.12.Now verify the synchronization by either creating or modifying an entry in the AD container specified in the domain rules of the mapping file. 2.13.Launch ODSM and check the entry in OID

2.14.From the DIP Server dropdown list select Logs -> Configuration and set to highest level of debug..e.g., 32 trace. 2.15.From the DIP Server dropdown list select Logs -> View logs 2.16.Examine the logs and find if the changes at AD are synchronized OID properly 3. ALTERNATIVE METHOD ======================= The expressSyncSetup command located in ORACLE_HOME/bin allows you to create profiles for standard LDAP directories by using the prepackaged templates based on the directory type. Syntax:

epesyceu - hsNm - PR - wssr-fpoie xrsSnStp h otae p OT D lue p rfl -oDryecnetdietrTp -oDrR cnetddrcoyul-oDridN cniTp onceDrcoyye cniUL once_ietr_r cniBnD cnetddrcoybn_n-oDrotie snCnanr once_ietr_idd cnicnanr ycotie [ealPoie {re|fle][hl] -nberfls tu as} -ep

Note: Set the WL_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands

Example:

epesyceu - rms-c- 70 - wboi -fA2I -oDryeATVDRCOY-oDrr xrsSnStp h aehp p 05 D elgc p DOD cniTp CIEIETR cniUl Ahs:8 -oDridNAmnsrtrma.rcecm-oDrotie c=sr,cma,coal,ccmDot39 cniBnD diitao@sdoal.o cniCnanr nuesd=sdd=rced=o ealPoie fle nberfls as

Once after successfully running the above command, you can see the profile created in em console DIP ->DIP Server drop down list select Administration>Synchronization Profiles For more information related to the expressSyncSetup go through the Creating Import and Export Synchronization Profiles Using expressSyncSetup section in the Fusion Middleware Integration Guide for Oracle Identity Management 11g. Flo teblwOal Dcmnainln t udrtn mr ifraino snhoiainadaalbe olw h eo rce ouetto ik o nesad oe nomto f ycrnzto n vial otos pin. Oal Fso Mdlwr AmnsrtrsGiefrOal DrcoyItgainPafr 1gRlae1 rce uin ideae diitao' ud o rce ietr nerto ltom 1 ees

(111 Pr Nme E03-3 1..) at ubr 1010 Catr1 Itgaigwt McootAtv Drcoy hpe-8 nertn ih irsf cie ietr

References
@ BUG:9244954 - AD SYNC - ERROR IN MAPPING RULES IF AUXILIARY OBJECTCLASS HAS NO MANDATORY ATTRS NOTE:1062921.1 - 11g DIP-85033: source attribute 'samaccountname' doesn't belong to object class 'user' NOTE:261342.1 - Understanding DIP Mapping Files NOTE:889262.1 - Quick Reference - 11g DIP Management Commands Usage and Syntax

You might also like