How to configure OID AD integration (user/group synchronization) using DIP ?

Directory Integration Platform (DIP) 11g is a java application deployed on WebLogic server and used for user synchronization between OID and other LDAP Servers (AD, IBM Directory Server..) or provisioning between OID and applications (Portal, Collaboration Suite …).

  • For more information on DIP Synchronization and provisioning click here
  • To configure DIP & OID on different machine click here

In this post I am going to cover steps to integrate Oracle Internet Directory with Microsoft Active Directory using DIP.
Assumptions:

1. OID & DIP are already installed and configured (OID 11g LDAP Port 3060, LDAPS Port 3131, wls_ods1 (DIP & ODSM) is running on 7005 and WebLogic Admin Server is running on Port 7001)

2. Microsoft Active Directory is installed and listening on 389 (non ssl) port.

You can use either command line tool (expressSyncSetup) or Graphical User Interface (Fusion Middleware Control /em)

.

Integrate OID & AD (User/Group synchronization) via DIP using GUI

1. Login to Enterprise Middleware Control   http://server:weblogic_admin_port/em   (Admin Server on WebLogic should be running)

2. From left panel, expand Farm_[domain_name] -> Identity And Access -> DIP (11.1.1.X)   (wls_ods1 managed server on WebLogic should be running to access this)

3. From DIP Server drop down menu (on right panel) -> Administration -> Synchronization Profiles

4.  Click on Create button and enter

Profile Name : Name of this synchronization profile
Direction of Synchronization – Use DIP-OID as? Source (for OID to AD ) or Destination (AD to OID)
Type : Active Directory (MS)  – Select different LDAP server if you want to synchronization OID from different LDAP server.
Host: Hostname or IP of machine where Active Directory is running.
Port: LDAP server port (636 in my case as AD port)
SSL Settings: Check enabled if you are using SSL ldap port (JKS & CSF should be configured – more on this coming soon)
User Name : username of AD server
Password : password of AD user to connect

5. Click on Test Connection to check if DIP can connect to Active Directory (AD) Server

6. Once test is successful click on OK to save synchronization profile.

Click on

  • Mapping (if you wish to configure any mapping rules or exclusion list at domain level or attribute level)
  • Filtering (If you wish to filter synchronization based on rules at source or target ldap server OID or AD)
  • Advanced (Change Frequency of synchronization schedule or log level)

7. Click on Enable Profile to enable this profile.

.

Key points for OID-AD integration using DIP

1. Synchronization profile is executed every one minute (configurable option) via Quartz scheduler (DIP component).

2. By default AD to OID synchronization uses uSNChanged . More information on uSNChanged or DirSync here

3. To change synchronization profile from uSNChanged  to DirSync click here

manageSyncProfiles update -h host -p port -D WLS_login_ID -pf Profile_Name
-params “odip.profile.configfile $ORACLE_HOME/ldap/odi/conf/activeimp.cfg.master”

4. If you planning to configure Filtering in DIP check Bug 9294314: SEARCHFILTER NOT WORKING ON 11.1.1.1.0 AND 11.1.1.2.

Workaround:
a. For synchronization , use filter in format of searchfilter=”abc”   (double quotes)
b. For bootstrap, user filter in format of searchfilter=abc  (without double quotes)

5. Logs of DIP are available at $DOMAIN_HOME/servers/wls_ods1/logs (Where domain_home is location of WebLogic Domain) and at

$ORACLE_INSTANCE/diagnostics/logs/OID/oid1 (Where ORACLE_INSTANCE is OID instance directory)

 

References/Related

Did you get a chance to download Free Guide related to EBS-LOAM? If not, download it here http://k21academy.com/ebs-oam-integration-free-guide

 

About the Author Masroof Ahmad

Leave a Comment:

16 comments
Add Your Reply