Integrate OID with AD Part I

OID (Oracle Internet Directory) is LDAP (Lightweight Directory Access Protocol) Server from Oracle where as AD (Active Directory) is LDAP server from Microsoft. Almost all oracle products (E-Business Suite 11i/R12, Portal, Application Server, Forms & Reports … ) integration with Active Directory is done via OID (OAS component).

For more information on OID click here .

http://becomeappsdba.blogspot.com/2007/02/oid-to-oidactive-directoryiplanet-other.html

Few things to note in Integration of OID with Active Directory
————————————————————————
1. Users can be created in AD and propagated to OID or Vice Versa or can
be created in both and then synched.

2. Password for users

—-2.a) can be stored in AD and not OID(You can authenticate against AD) via External Authentication Plug-in (created in OID)

2.b) Can be stored at both places AD & OID and synhced regularly

3. User synchronization between OID and AD (from OID side, both import & export) is done via DIP (Directory Integration & Provisioning ) component of OID

4. Synchronization of user (to & from) between OID and AD is done by predefined connector (shipped with OIDwhich you can modify/configure as per your need)

5. Synchronization between AD-OID via above mentioned connector can be one way (import only or export only) or two way (both import and export)

6. You can synch all or particular attributes of user entry which you wish to configure (this is done via mapping file- More on mapping files coming soon..)

Configuration Highlights

1. Synchronization of users between OID & AD happens via synchronization profile (including connect detail, direction of synch, attribute and source & target domain) created during installation of OID.

2. Three provisioning profile created by default are

ActiveImport : Importing Changes from MS-AD to OID (DirSyn approach for tracking changes in AD)

ActiveChgImp : Importing Changes from MS-AD to OID (USNChanged approach for tracking changes in AD )

ActiveExport : Exporting changes from OID to MS-AD
(More on DirSyn & USNChanged coming soon with practical examples on which one to choose depending on requirement)

3. These provisioning profiles can be customized using dipassitant
(dipassistantgui) or using LDAP commands (ldapadd or ldapmodify)
4. If you are synchronizing from AD to OID where AD is multi-domain and global catalog is not configured againt Multi domain AD, then you need
one synchronization profile per domain for AD but if global catalogue is
configured you create only one provisioning profile against GC (global
catalog and not garbage collector); If synchronization is from OID to AD
(with multiple domain) you need provisioning profile for each domain
irrespective of global catalog (GC doesn’t play a role in synch for
Export from OID to AD)
5. Decide on what information to synchronize and at what location in
directory information tree to synchronize.

More on Integrating/synchronizing Oracle Internet Directory (OID) to Microsoft Active Directory (AD) with demo setup coming soon ….

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

31 comments
RyanW says May 9, 2007

This can be a pretty daunting task at first (especially if you don’t have a good grasp of basic LDAP syntax) but it is extremely beneficial in certain environments. For instance, we use our institution’s AD for authentication but have our authorization rules set up on the OID and Oracle accounts for the end-users, giving the ma “single sign-on” experience. Very much worth the effort.

Reply
Atul Kumar says May 10, 2007

Thanks for sharing your experience with readers. Its true that its worth knowing LDAP syntax and basics.

Reply
Atul says October 1, 2007

Hi I feel integrating OID with AD is not a easy task.It is mentioned EAP (External Authentication plugin) can be used for AD-OID sync but I have few issues on this. In my environment I want to establish a single password concept for both thin client and thick client. EAP works good for thin client but does not support thick client. Hence it looks like password filter and server chaining are few options to resolve thick cient issue. Could you please give me an idea whether EAP can be used for both thick and thin client. In my environment the password is in AD and no where. IF EAP can be used then How it can be done?

Sisir,
EAP can be used in OID so that OID on user behalf will do ldapbind and ldapcompare for password in AD or third party directory server.

Do let me know what kind of think clients (give me an example) you are trying to use for EAP.

Server chaining for Directory server is available from 10.1.4 OID and not 10.1.2

I’ll cover EAP in my coming post on this site

Reply
bilal says August 6, 2008

Hi Atul,
can u guide me configuration for OID and AD integration for our Portal.

Reply
amolchawathe says May 20, 2009

Hi,
I am having a portal with a numberic login.

For example : user( 010999)/pass

I would like to make the username alphanumeric
( amolchawathe/password)

Can you guide me how it can take place either through a change in OID or some kind of a portal API.

Your inputs would be appreciated.

Thanks
Amol

Reply
Pravin says October 27, 2009

Hi Atual,

Want to understand what could be the use of integrating AD with OID without the use of SSO?

thanks

Pravin

Reply
cristiano says October 19, 2010

Hi,
do the installation of Oracle Password Filter (sync password from OID and AD) modify AD schema or other thing in AD ?

Thanks,
i don’t like to modify anything in AD.

Reply
Atul Kumar says October 20, 2010

@ cristiano,
Password Filter for AD should be installed on AD server .

Check below link for steps

http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDEDIIA

Reply
cristiano says October 24, 2010

only to know: i have seen that password filter is a manner to syncronize Active Directory Password in OID, but if you don’t want to store it in OI you can use External Authetnication Plugin (OID).

Reply
sagar says October 26, 2010

Hi Atul,
We are trying to integrate EDIR and OID 11g.
Will you please let me know if there is any other way to do it without DIP. Also the requirement is that it should run daily once.

Thanks & look forward to your valuable reply.

Reply
sanjay says March 4, 2011

Authenticate Portal user using AD

Question is :
Would it be possible to authenticate with AD and if user does not exists in AD then authenticate using OID.
We have more users in OID. Not all users have AD userid /password but they do have account in OID.

Is it possible to do ?

Reply
Atul Kumar says March 7, 2011

@ Sanjay,
Which application you are using to authenticate against AD ?

Check in Active Directory if there is an option to authenticate against OID is user is not available in AD.

Reply
Ameet says April 1, 2011

Hi,

We are using oracle 10g forms and oracle 10g forms and reports services and MS AD .. how i configure the single password authentication for operating system and forms application.
Can you please list down the step ..

Regards
Ameet

Reply
Atul Kumar says April 1, 2011

@ Ameet,
I am not sure if directory kereberos authentication is possible in Forms/Reports 10g however to achieve 10g forms/reports with MS-AD for windows native authentication (0 sign-On)

1. Integrate Forms with 10g SSO (Orcale ASSSO) using http://download.oracle.com/docs/cd/B14099_19/web.1012/b14032/sso.htm

2. You then integrate 10g SSO (Orcale ASSSO) with Active Directory for kerberos using http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir003.htm#sthref827

Reply
Ameet says April 1, 2011

Thanks Atul for your reply.

What is better for our env,please give us suggestion ..

We have already 4 forms application deployed,should i install complete apps server (Infra & Apps) then deployed these four applications and then to proceed for AD sync??

Reply
Ameet says April 1, 2011

DBMS_LADP package is helpful in sync ? can i perform this task with this package without SSO and OID ?

Reply
Ameet says April 1, 2011

Dear Atul,

I am waiting for your reply .

Reply
Atul Kumar says April 1, 2011

@ Ameet, as far as I know dbms_ldap is used for accessing ldap (OID/AD) data using plsql or from database.

I know think you can achieve SSO with dbms_ldap , you would eventually need Single Sign-On software.

Please consult Oracle Support (Forms & Reports Team)

Reply
Ameet says April 1, 2011

OK thanks .. Can you send me the all parts of bi-directional integration b/w OID and MS AD.

I need sequence of steps to configure sync …

Reply
Ameet says April 1, 2011

thanks alot

Reply
Fontin says December 22, 2011

Hello Amet,

You wrote :
– Users can be created in AD and propagated to OID => OK via import profile
– or Vice Versa => OK via export profile
– or can be created in both and then synched => that what I want to do, but DIP returns ldap error 65 and cann’t synchronize users
How can I do it ?

Thanks in advance
Fontin

Reply
Atul Kumar says December 23, 2011

@ Fontin,

Paste exact error from DIP.

Did you configure DIP synchronisation profile using EM (assuming this is OID 11g )

check this

http://docs.oracle.com/cd/E21764_01/oid.1111/e10031/odip_actdir.htm#CHDBBAII

Reply
Mario says June 13, 2012

Hi! first all congratulations for your blog!

I need some help about sync password from AD to OID.

I don’t know what software I will need…

¿Can you help me sending a list of the necesary software?

I’m using 11g Middleware

Thank you a lot!

Reply
    Atul Kumar says June 13, 2012

    @Mario, do you really need to keep password at two places ? If I am you I would use password plug-in feature of OiD where OID can contact AD for password validation.

    If you still want to sync password then use DIP directory integration platform. Do let me know if you need more information or documentation link

    Reply
Mario says June 13, 2012

@Atul Kumar

Scenario:

1 server with AD 2008 R2 (isval.lab)
1 server with OID 11g (oidval.is)

Actually I can sync users from isval.lab to oidval.is but the password is empty so i need to sync the password from AD.

I know that need SSL connection between Windows Server and OID, and password filter on 2008.

I have configure the SSL connection and in windows I was trusted the connection by using ldapbindssl.exe and got Bind Succefull.

But the passwords are not synchronized, and I don’t know what i’m doing wrong…

Reply
Atul Kumar says June 13, 2012

@ Mario,
Password sync should work using DIP. if this is not working then check synchronization mapping and verify that password attribute is also part of this AD-OID sync. Enable debug in synchronization profile or raise an Service Request with Oracle support.

Check

http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_actdir.htm#CHDIGDEH

and

http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_config_integration.htm#BABBFAAJ

and

http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDBIIJC

Reply
Mario says June 15, 2012

@Atul Kumar

Hi Atul!

I’ve reinstalled all, at this moment we have:

All software up and running.

And the SSl configuration was:

1.Create wallet with self signed cert
2.Configure OID in mode SSL 2
3.Check SSL Config with odsm (created connection with SSL and Works fine)
4.Change password policies
5.Export Certificate (oid.cer)
6.Import oid.cer on a new keystore
7.Config DIP for work in SSL 2 Mode (works fine)
8.Import oid.cer on Windows 2008 server
9.Create windows 2008 server cert (self signed too)
10.Import Windows Cert on keystore
11.Test connectivity between DIP and W2K8 by port number 636 of AD (works fine)
12.Create Sync Profile with SSL (test connection succesful and Sync Users Too)
13.Install Password filter on W2k8
14.Change password on users already sync (password is not sync)
15.Edit sync map (user->userpassword – interorgperson -> userpassword)
16.Reset password on AD user
17.DIP shows new succefull change (but password is not sync)

What am I doing wrong?

Reply
srshukla3 says October 22, 2012

Hi Atul,

I have configured EAP in OID to authenticate from AD. I do not want to synch from AD. I checked the ldap_bin_ad and ldap_compare_ad plugin is configured properly but still the EAP is not working, it says invalid credential.

Can you please help me where can i check if anything is wrong or do i need to configure OID-AD sych (import/export)before EAP ?

Regards
Santosh

Reply
Mike says January 19, 2019

Hello Atul,
Such a very useful article. Very interesting to read this. I would like to thank you for the efforts you had made for writing this awesome article.
-Mike Miller, Director, SSOgen.

Reply
Add Your Reply

Not found