Register for Apps DBA Training
For Apps DBA Beginner's
  • Start From Here
  • Order of Apps Study
  • 11i Software
  • Apps Architecture
  • Install Apps 11i
  • Install Apps 11i Part II
  • Startup/Shutdown
  • Request Flow in Apps
  • Various TOP's
  • Cloning Basics
  • Cloning I
  • Cloning II
  • Autoconfig Basics
  • Autoconfig Config File
  • Template Files in Autoconfig
  • Discoverer Overview
  • Workflow Mailer in Apps
  • Printing Overview
  • Configuring Printers
  • Pasta Printing
  • Performance Overview
  • Install 10g Application Server
  • Apps DBA Certification
  • Common DBA Topics
  • Scared of RAC ?
  • Install RAC on your laptop part I
  • Step by Step build RAC part II
  • Step by Step install RAC using VMWare part III
  • Install Oracle RAC Database part IV
  • oraInventory Basics
  • Install Database
  • Upgarde DB to
  • Fusion
  • Is Fusion a conFusion ?
  • Fusion Middleware Overview I
  • Fusion Middleware Overview II
  • Application Integration Architecture
  • SOA Install Part I
  • SOA Install Part II
  • SOA Install Part III
  • Install BPEL Process Manager
  • Apps Integration OID/SSO
  • Management Qs for Apps Integration with SSO/OID
  • 25 things your DBA should know for Apps/SSO integration
  • Identity Management
  • COREid Overview
  • Oracle COREid or Idm & Access Mgmt overview
  • Installing Access Manager 10.1.4
  • WebGate request flow
  • Identity Manager Architecture
  • Installing Identity Manager
  • OAS-SSO Overview
  • OID Overview
  • OID Basics II
  • OID Cluster
  • OID Integration with Other LDAP Servers overview
  • Integrate OID with AD I
  • OID Replication Overview
  • Multi Master OID Replication
  • Migrate OID/SSO to new Host
  • Apps R 12
  • Socket or Servlet in R12
  • Startup/Shutdown Scripts in R12
  • Unified APPL_TOP
  • Apps R 12.0.1
  • Difference between 11i & R12 Technical
  • Prepare for R12 Installation
  • Install VMWare on Windows for Linux Install
  • Install Linux for Apps R12 Install
  • Install Apps R12 on Linux Virtual Machine
  • R12 Upgrade & database
  • R12 Fils System Changes
  • R12 Release Date
  • 10g Application Server
  • 10g AS Overview
  • Installing 10g AS
  • Start/Stop 10g AS
  • Web Cache Basics
  • Single Sign-On Overview
  • OID Overview
  • Cloning 10g AS
  • 10g AS Middle tier Cloning & Overview
  • OID Cluster Imp. Points
  • CPU Patch, Infra Tier
  • CPU Patch, Middle Tier
  • AS Guard / DR Overview
  • Oracle Apps 11i
  • My Site
  • Apps DBA Scripts
  • Apps DBA Interview Q's
  • 11i JVM's
  • Apps Training in India
  • 11i Health Check
  • Good Metalink Notes
  • About Me  
  • For Advanced Apps DBA
  • URL Firewall in DMZ Setup
  • Upgrade Apps to
  • Load Balancer Overview
  • Load Balancer Config
  • HTTP layer Load balancing in Apps 11i
  • Dataguard Overview
  • Configure Dataguard / Standby database
  • Standby Site for Apps 11i
  • How to change Hostname on Apps Instance
  • SSL Overview in Apps
  • Configure SSL to Web Server
  • Key Points for SSL in Apps
  • Reduce Patch Timing
  • Reduce Patch Timing II
  • Shared APPL_TOP Overview
  • Configure Shared APPL_TOP
  • 11i Database Upgrade I
  • 11i Database Upgrade II
  • Change Session TimeOut
  • Patching
  • Apps Patch Basics
  • Apps Patch Basics II
  • Apply Apps Patch
  • CPU Overview
  • Steps to Apply CPU Patch
  • CPU Patch on Infra Tier
  • CPU Patch on AS Middle Tier
  • Troubleshooting
  • Web Server TS Part I
  • Web Server TS Part II
  • CM Troubleshooting
  • 10g Discoverer with Apps
  • Discoverer Bascis in Apps
  • Discoverer 10g Upgarde Basics
  • Discoverer 10g Configuration Steps with 11i
  • Collaboration Suite
  • Collaboration Suite
  • Calendar Overview
  • Sync Calendar from Mobile I
  • Sync Calendar from Mobile II
  • OCS Mail Architecture
  • Apex / HTMLDB
  • Install Apex 2.2
  • Apex with SSO part I
  • Apex with SSO part II
  • SSO Authentication Schemes
  • Certification
  • Possible Certifications for DBA
  • Apps DBA Certification
  • 1Z0-311-OCA-10g OAS Overview
  • 1z0-312-OCP-10g OAS Overview
  • 1z0-312 - Managing Customization and Topology
  • 1z0-312 - Cloning and Staging OAS
  • Apps DBA Jobs
  • Working / Apps DBA in UK
  • Oracle Recruiting Apps DBA's
  • Apps DBA Jobs Updated Regularly
  • Apps Job at Satyam
  • Useful Links
  • Good Metalink Notes
  • petefinnigan's Oracle Security
  • Linux Basics
  • Atul Mehta's Oracle Links
  • Others
  • Apps DBA Training Institute
  • 1 Year Journey of this Blog
  • How To ?
  • Change APPS Password
  • Preserve Customizations
  • Blog Roll
    Apps / E-Business Suite
  • Steven Chan Apps
  • Anil Passi Technical
  • Fadi Apps DBA
  • Senthil Apps DBA
  • Bas Klaassen EBS DBA
  • Sam Apps DBA
  • Black Geek Apps DBA
  • Bandari Apps
  • Vikram ERP Architect
  • OraBiz
  • Eric Core DBA
  • SOA
  • Navdeep Saini Apps DBA
  • tugdualgrall Web Services
  • Mohan Dutt's Apps Certification
  • Nishant Kaushik's IdM
  • Nulli Blog, OAM
  • Identity Musing
  • Identity nd Access Management
    Core DBA
  • Vidya Bala DBA
  • Sabdar DBA
    Data Management
  • Ivan Pellegrin Data Management

  • We have moved to kindly check http://onlineAppsDBA.comin future
    Integrate OID with AD Part I
    Wednesday, May 09, 2007
    Register for R12 upgrade
    OID (Oracle Internet Directory) is LDAP (Lightweight Directory Access Protocol) Server from Oracle where as AD (Active Directory) is LDAP server from Microsoft. Almost all oracle products (E-Business Suite 11i/R12, Portal, Application Server, Forms & Reports ... ) integration with Active Directory is done via OID (OAS component).

    For more information on OID click here .

    Few things to note in Integration of OID with Active Directory
    1. Users can be created in AD and propagated to OID or Vice Versa or can
    be created in both and then synched.
    2. Password for users
    ----2.a) can be stored in AD and not OID(You can authenticate against AD) via External Authentication Plug-in (created in OID)
    ---2.b) Can be stored at both places AD & OID and synhced regularly
    3. User synchronization between OID and AD (from OID side, both import & export) is done via DIP (Directory Integration & Provisioning ) component of OID
    4. Synchronization of user (to & from) between OID and AD is done by predefined connector (shipped with OIDwhich you can modify/configure as per your need)
    5. Synchronization between AD-OID via above mentioned connector can be one way (import only or export only) or two way (both import and export)
    6. You can synch all or particular attributes of user entry which you wish to configure (this is done via mapping file- More on mapping files coming soon..)

    Configuration Highlights
    1. Synchronization of users between OID & AD happens via synchronization profile (including connect detail, direction of synch, attribute and source & target domain) created during installation of OID.
    2. Three provisioning profile created by default are
    ---ActiveImport : Importing Changes from MS-AD to OID (DirSyn approach for tracking changes in AD)
    ---ActiveChgImp : Importing Changes from MS-AD to OID (USNChanged approach for tracking changes in AD )
    ---ActiveExport : Exporting changes from OID to MS-AD
    (More on DirSyn & USNChanged coming soon with practical examples on which one to choose depending on requirement)
    3. These provisioning profiles can be customized using dipassitant
    (dipassistant -gui) or using LDAP commands (ldapadd or ldapmodify)
    4. If you are synchronizing from AD to OID where AD is multi-domain and global catalog is not configured againt Multi domain AD, then you need
    one synchronization profile per domain for AD but if global catalogue is
    configured you create only one provisioning profile against GC (global
    catalog and not garbage collector); If synchronization is from OID to AD
    (with multiple domain) you need provisioning profile for each domain
    irrespective of global catalog (GC doesn't play a role in synch for
    Export from OID to AD)
    5. Decide on what information to synchronize and at what location in
    directory information tree to synchronize.

    More on Integrating/synchronizing Oracle Internet Directory (OID) to Microsoft Active Directory (AD) with demo setup coming soon ....

    Labels: ,

    We have moved to

    kindly check in future

    add to  ¦  digg thisDigg This  ¦  My Yahoo!My Yahoo  ¦  RedditReddit  ¦  add to BlinkListBlinkList   ¦  Furl ItFurl It  ¦  Email This Email This  ¦     Leave Your Comments
    posted by Atul Kumar @ 10:08 PM  
    • At 4:50 AM, Blogger RyanW said…

      This can be a pretty daunting task at first (especially if you don't have a good grasp of basic LDAP syntax) but it is extremely beneficial in certain environments. For instance, we use our institution's AD for authentication but have our authorization rules set up on the OID and Oracle accounts for the end-users, giving the ma "single sign-on" experience. Very much worth the effort.

    • At 5:35 AM, Blogger Atul Kumar said…

      Thanks for sharing your experience with readers. Its true that its worth knowing LDAP syntax and basics.

    • At 4:03 PM, Anonymous Sisir said…

      Hi I feel integrating OID with AD is not a easy task.It is mentioned EAP (External Authentication plugin) can be used for AD-OID sync but I have few issues on this. In my environment I want to establish a single password concept for both thin client and thick client. EAP works good for thin client but does not support thick client. Hence it looks like password filter and server chaining are few options to resolve thick cient issue. Could you please give me an idea whether EAP can be used for both thick and thin client. In my environment the password is in AD and no where. IF EAP can be used then How it can be done?

    • At 6:51 PM, Blogger Atul Kumar said…

      We are migrating to so In future I'll respond on on Line Apps DBA

      I have posted your comment at this site and answer as well

      so stay tuned for EAP on that site

    • At 12:12 PM, Blogger Sputmayer said…

      Hi Sisir,
      I have a small query,
      We have AD as an Authenticating server and OID as an Authorization server with synchronization happening between them. The current scenario is that a user gets logged into a Java swing application that runs on client PCs with SSO and authenticated against AD of that Domain controller, This Swing app needs to connect to a few Web Services that we are trying to secure using OWSM but OWSM does not provide any Kerberos token authentication with AD in its current version. Therefore, I am thinking of creating a custom policy step in Java that will do the kerberos token authentication with AD and deploy that step in OWSM using their SDK. This token authentication will actually return me the user credentials which I then use to call the OID for authorization i.e to check if the credentials are valid to call the operations defined in WS. Is there a way if I can directly call OID with the credentials which btw the swing app can also provide me. And configure OID to pass the credentials to AD and then OID actually gives the Authentication and if authentication is succesful then OID executes the authorization step or else throws an error or exception etc. I hope I am making some sense. Just to let you know my knowledge of OID and AD is not that great but I am willing to spend more time if the scenario I have explained can be implemented.
      Thanks for that buddy, Appreciate your efforts.

    • At 5:27 AM, Blogger Balu said…

      Hi Atul,

      Have you tried configuring Windows Native Authentication with OID. Since i have tried to , but metalink analyst has confirmed the KDC is not issuing the tickets.

      Sine they dont have support , they are asking me to contact microsoft .

      Incase if you had done this setup , can you please tell me what are the pre-requesites on windows 2003 Server Sp1 to be taken .



    • At 4:04 PM, Blogger Pascal said…

      Hi Atul,
      I have done the AD to OID Synchronization with an OID Version 10.1.2, which works fine.

      The problem is that in AD there are some thousands of groups that we don't need in OID (the performance gets very bad). I would like the synchronization to only synchronize 15 named Groups. The Oracle Documentation is not very detailed on the search filter. Could you give me a hint on the syntax of the search filter to manage this task?

      Thank you very much and regards


    Post a Comment
    << Home
    About Me

    Name: Atul Kumar
    Home: London, United Kingdom

    About Me: I am Independent Oracle consultant. If you wish to hire me on Contract or to Quote on project basis contact me at
    atul @

    See my complete profile

    View Atul Kumar's profile on LinkedIn

    E-mail Subscription

    Enter your email address:

    Delivered by FeedBurner

    Only search this Blog
  • Advanced Topics
  • Application Server
  • Apex / HTMLDB
  • Apps 11i
  • Apps R12
  • Autoconfig
  • Basics
  • Certification
  • Cloning
  • Discoverer
  • Fusion
  • OID
  • Patching
  • Printer
  • Single Sign-On
  • Useful Sites & Forum
  • Previous Post
    Add On

    Add to Technorati Favorites



    Add to Google


    Add to My AOL


    Subscribe in Bloglines


    Subscribe in NewsGator Online

    Powered by

    Hits Since 30, Jul 06

    Blog Counter

    Technology Blogs - Blog Top Sites
    Copyright © 2006 All rights reserved Presented by Atul Kumar