DIP : Synchronization, Provisioing, Connectors, DSS in Oracle Directory Services (ODS) 11g

Oracle DIP

.

Directory Integration Platform (DIP) : integrates LDAP-enabled applications (Portal, EBS) and LDAP directories (MS-AD, ADAM/MS-LDS, IBM Tivoli Directory Server) with Oracle Internet Directory (OID)

1. DIP provides two type of services : Synchronization and Provisioning

a) Synchronization: keeps third party directory server (MS-AD, MS-ADAM/MS-LDS, iPlanet, Tivoli DS) consistent with Oracle Internet Directory (OID). Synchronization Service uses synchronization profile to sync directories and profile is managed by “manageSyncProfiles” or FMW Control (/em)

b) Provisioning : User and group information is updated from OID to LDAP-enabled applications (Portal, EBS, OCS). Provisioning service uses provisioning profile to synchronize data between OID and LDAP-enabled applications and profile is managed by “oidprovtool

. 

Connectors : OID server connects to other directory stores (MS-AD, iPlanet, IBM Tivoli DS) using connector. Connector is prepackaged connectivity solution that exchanges data between OID server and connected Directory server. Connectors use one of following interfaces LDAP, DB, tagged or LDIF.

  • If third party directory server supports one of above interfaces (LDAP, DB, tagged or LDIF) then it just requires Integration Profile.
  • If third party directory server cannot NOT use one of above interfaces (LDAP, DB, tagged or LDIF) then it requires Integration Profile + an Agent.

Agent :Synchronization agent transforms data from one of formats supported by DIP in to one supported by third party directory server (eg HR).

Directory Integration Profile: This profile contains all configuration information that is required to synchronize data between OID server and other directories. There is at least one profile per directory per direction. Directorty Integration Profile contains following information –
a) Direction of Synchronization – export only, import only or both
b) Type of interface – LDAP, tagged, DB and LDIF
c) Mapping rules and formats– attribute mapping and conversion between attributes of OID and third party directory server. (orclodipAttributeMappingRules)
d) Connection details of third party directory server – Third party directory server host, port, SSL/non-SSL, credentials
Directory Synchronization Service (DSS) – DSS periodically checks directory synchronization profiles and compares the last successful update time and change number with the contents of the chnage log. If there are any new changes to be synchronized, DSS initiates the synchronization process.

.
Installation and Configuration of DIP

1. DIP can be configured with OID or as stand-alone component (OID is prereq for DIP) on different machine.

2. DIP is J2EE application deployed on WebLogic Server (in 11g OID) or 10g Application Server (in 10g OID)

3. In 11g Identity Management, DIP is deployed on Weblogic and managed server wls_ods1 by default. DIP J2EE application consists of EJB Module dipejb.jar and WebModule dipweb.war.

4.You can start Managed server on which DIP is deployed (wls_ods1) via command line startManagedXXXX , from console (Node Manager must be running and Machine should be setup in weblogic) or via FMW control  (/em)

To start wls_ods1 managed server, Admin server should be running during first time start; after that Admin server could be down (or up) during wls_ods1 start/stop. More on starting stopping weblogic server here

5. Default DIP web module URL is http://hostname:port/dipapp(where port is port for managed server wls_ods1 – 7005 by default)

6. Utilities related to DIP are $ORACLE_HOME/bin/ dipStatus, manageSyncProfiles, manageSyncProfiles

7. You can also use Fusion Middleware control (/em) or WLST (WebLogic Scripting Tool) to manage DIP .

8. DIP related information is stored in cn=odisrv, cn=Registered Instances, cn=Directory Integration Platform, cn=Products, cn=OracleContext

Note* You can use ldapsearch or ODSM to find DIP registration information under this ldap leaf (Oracle Directory Services Management (ODSM) is another java application to manage OID (replacement of ODM – Oracle Directory Manager)). More on ODSM here

.

Related/References

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

23 comments
cristiano says October 20, 2010

Hi,
where i can find the Provisioning console in OID 11g ?
i have to create a user with the provisioning services of DIP.

Reply
Atul Kumar says October 20, 2010

@ cristiano,

You can access it from Fusion Middleware control i.e. /em on admin server (port 7001)

http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10031/odip_provisioning.htm#BABJCADE

Reply
» How to configure OID AD integration (user/group synchronization) using DIP ? Online Apps DBA: One Stop Shop for Apps DBA’s says January 4, 2011

[…] For more information on DIP Synchronization and provisioning click here […]

Reply
cristianoburgo says January 8, 2011

the DIP provisioning profile can be created only with oidprovtool ?

Strange that i do not find any functionlaities as for DIP Syncronzation profile.

Reply
Atul Kumar says January 8, 2011

@ cristianoburgo

I am not clear with your query but to find for more information on oidprovtool check

http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10031/odip_config_apps_prov.htm

oidprovtool is under $ORACLE_HOME(for OID)/bin

Reply
Capitalist says January 18, 2011

Hi!
This guide is excellent on 11g,
however… I need a similar guideline on Oracle OID 10g DIP.

My issue is integration with eBusiness Suite R12 & Novell eDirectory.

This is verrry urgent

Reply
Atul Kumar says January 18, 2011

@ Capitalist,

For OID 10g integration with eBusiness Suite R12 use commands at eBusiness Side (txkrun.pl)

http://onlineappsdba.com/index.php/2008/08/20/apps-11ir1212i-registrationderegistration-with-oidsso-internals/

Also use
•233436.1— Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i

•261914.1—Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Application Server Single Sign-On

•233436.1—Oracle Application Server with Oracle E-Business Suite Release 11i Frequently Asked Questions

For OID 10g Integration with other LDAP servers like Novell eDirectory use link

http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_int_cons.htm#i130063

and

http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_int_cons009.htm

Reply
Tushar J says May 4, 2011

Hi Atul,

I am working on DIP 11g. Many times i have faced the issue that 2 components of DIP i.e MBeans and Quartz Scheduler are down but DIP status is up and running.

So can pleasetell why these components go down and how i can make them up.

I restarted DIP as well as wls_server but these 2 component still remains in down state.

Please help
Waiting for your reply.
Thanks in Advance

Reply
Atul Kumar says May 4, 2011

@ Tushar J,
This could be because of number of reasons , main one which I faced was because of wrong configuration in second managed server for DIP.

$DOMAIN_HOME/config/fmwconfig/ servers/wls_ods[n]/ applications/DIP_11.1.1.2.0/ configuration/ dip-config.xml (copy this file from first managed server)

To find root cause check wls_ods2 log file at $DOMAIN_HOME/ servers/ wls_ods2/logs

Reply
Tushar J says May 5, 2011

Hi Atul,

Actually i was trying external Authentication for which i changed server properties of OID. I checked External SASL Check box in SASL tab in Server properties of OID and then apply the changes.
Later on i tried to uncheck the External SASL check box but it was not allowing we to save the changes after unchecking the box .
After that i found that Quartz scheduler and MBeans component of DIP are down.
So later even after restart of dip those component were down.

Thanks!!

Reply
berniej says August 26, 2011

I’d like to configure DIP provisioning profiles to provision users from OID to EBS instances using policies based on group membership. In this way I can control who gets provisioned to what from OID groups.

I already have my policies created but they provision all users by default.

The question is how to do this? I can find nothing in the DIP Admin guide that helps with this?

Many thanks,

Bernie

Reply
Atul Kumar says August 26, 2011

@ berniej,
Did you look at filter tab in provisioning profile in EM ?

Reply
berniej says August 26, 2011

Hi Atul,
The profile is a version 2.0 created using txkrun.pl and I see only General, Event Configuration and Advanced tabs when I edit the profile using DIP.

There are App to OID Subscriptions, OID to App subscriptions and App to OID mapping rules but nothing to allow me to map OID to App rules it seems?

Thanks,

Bernie

Reply
Atul Kumar says August 26, 2011

@ Bernie,

Use oidrovtool , as per 13.2.1 see if event_mapping_rule can be used which has filter

event_mapping_rules=”OBJECT_TYPE:FILTER:DOMAIN”

http://download.oracle.com/docs/cd/E21764_01/oid.1111/e10031/odip_config_apps_prov.htm#CACIJGHC

Reply
berniej says August 27, 2011

Thanks Atul, I’ll give it a go and post back – I had read 13.2.2 and assumed that this only applied to INBOUND but maybe it means only REQUIRED for INBOUND….

event_mapping_rules=”OBJECT_TYPE:FILTER:DOMAIN”

Required for create and modify operations on INBOUND events only. This rule maps
the object type received from the application (using an optional filter condition) to a
domain in Oracle Internet Directory A provisioning profile can have multiple mapping
rules defined.

Reply
berniej says August 30, 2011

Hi Atul,

Seems that event_mapping_rules are indeed only applied to inbound events. Seems that outbound doesn’t support filter based rules…. back to the drawing board!

Reply
gmhooper says June 18, 2012

I have 11g IDM 11.1.1.4 configured with OAM for EBS 12.1.3 SSO. I have 2-way sync. The only users I create in EBS are iRec users. I am trying to add them in OID to their own cn to separate them with internal users. I have tried to change DIP Server>Provisioning Profiles and change Application to OID Mapping Rules and set FND to cn=Applicants,cn=users,dc=domain,dc=com but users still show up under cn=users. Any suggestions on how to get the users created in EBS to map to cn=Applicants?

Reply
my article site pro says August 1, 2012

I just like the valuable information you provide in your
articles. I will bookmark your weblog and check once more right here
regularly. I’m slightly sure I’ll learn many new stuff right here!

Good luck for the next!

Reply
http://www.blackwolfblades.com/ says August 18, 2012

Youre so cool! I dont suppose Ive read something like this before.
So nice to seek out any person with some authentic ideas on this
subject. realy thanks for starting this up. this web site is one thing that is wanted on the web, somebody with a bit originality.
useful job for bringing one thing new to the web!

Reply
bets10 canli says May 5, 2013

The most likely way to make money gambling is to build up your winnings gradually.
You need to have a basic understanding of the strengths and weaknesses of different international teams so that
you can make more winning bets. On the other hand, there are also betting strategies
and books that are quite useful in order to win bets.

Reply
sunil sharma says May 23, 2013

Hi,
We have one system says hr system which take care of entering all the user information. Once it submit that information it goes to oid. Now we want that when we import all that user from oid to active directory it didn’t duplicate any user as well as depending on their role it should create groups dynamically in active directory. For e.g: If user belong to Trainee category or manager category it must create Trainee group & Manager group & respective person should go into that group. I don’t know whether my question is placed in right group or not. Any help will be appreciated.

Thanks,
Sonya Sharma

Reply
Juan says June 22, 2015

Hi Atul,

Its possible to customise some way the OID->EBSO provisioning profile? I’m trying to achieve linking from HRMS to FND_USERS, I using Oracle HR Agent Sync Profile to get data from HRMS DB to OID and its working, I’m mapping PersonID from HR DB to employeeNumber in OID, but the OID->EBSO provisioning profile is not sending employeeNumber form OID to emplee_Id in the FND_Users table, is there a way to configure the Provisioning profile to do this?. Kindly advise

Regards
Juan

Reply
wyskur says September 30, 2015

I’m having a problem with DIP (possibly). I have provisioning setup and working, but my EBS instances are not successfully picking up subscriptions for new/existing users. Are you able to troubleshoot an issue like this?

Reply
Add Your Reply

Not found