Become Oracle Apps DBA: Integrate OID with AD Part I

OID (Oracle Internet Directory) is LDAP (Lightweight Directory Access Protocol) Server from Oracle where as AD (Active Directory) is LDAP server from Microsoft. Almost all oracle products (E-Business Suite 11i/R12, Portal, Application Server, Forms & Reports ... ) integration with Active Directory is done via OID (OAS component).

For more information on OID click here .

http://becomeappsdba.blogspot.com/2007/02/oid-to-oidactive-directoryiplanet-other.html

Few things to note in Integration of OID with Active Directory
------------------------------------------------------------------------
1. Users can be created in AD and propagated to OID or Vice Versa or can
be created in both and then synched.

2. Password for users

----2.a) can be stored in AD and not OID(You can authenticate against AD) via External Authentication Plug-in (created in OID)

---2.b) Can be stored at both places AD & OID and synhced regularly

3. User synchronization between OID and AD (from OID side, both import & export) is done via DIP (Directory Integration & Provisioning ) component of OID

4. Synchronization of user (to & from) between OID and AD is done by predefined connector (shipped with OIDwhich you can modify/configure as per your need)

5. Synchronization between AD-OID via above mentioned connector can be one way (import only or export only) or two way (both import and export)

6. You can synch all or particular attributes of user entry which you wish to configure (this is done via mapping file- More on mapping files coming soon..)

Configuration Highlights

--------------------------------------

1. Synchronization of users between OID & AD happens via synchronization profile (including connect detail, direction of synch, attribute and source & target domain) created during installation of OID.

2. Three provisioning profile created by default are

---ActiveImport : Importing Changes from MS-AD to OID (DirSyn approach for tracking changes in AD)

---ActiveChgImp : Importing Changes from MS-AD to OID (USNChanged approach for tracking changes in AD )

---ActiveExport : Exporting changes from OID to MS-AD
(More on DirSyn & USNChanged coming soon with practical examples on which one to choose depending on requirement)

3. These provisioning profiles can be customized using dipassitant
(dipassistant -gui) or using LDAP commands (ldapadd or ldapmodify)
4. If you are synchronizing from AD to OID where AD is multi-domain and global catalog is not configured againt Multi domain AD, then you need
one synchronization profile per domain for AD but if global catalogue is
configured you create only one provisioning profile against GC (global
catalog and not garbage collector); If synchronization is from OID to AD
(with multiple domain) you need provisioning profile for each domain
irrespective of global catalog (GC doesn't play a role in synch for
Export from OID to AD)
5. Decide on what information to synchronize and at what location in
directory information tree to synchronize.

More on Integrating/synchronizing Oracle Internet Directory (OID) to Microsoft Active Directory (AD) with demo setup coming soon ....

Labels: integration, oid

We have moved to
http://onlineAppsDBA.com
kindly check onLineAppsDBA.com in future

del.icio.us ¦

Digg This ¦ My Yahoo!

My Yahoo ¦ Reddit

Reddit ¦ add to BlinkList

BlinkList ¦ Furl It

Furl It ¦

Email This ¦ Leave Your Comments

posted by Atul Kumar @ 10:08 PM

7 Comments:

At 4:50 AM, Unknown said…

This can be a pretty daunting task at first (especially if you don't have a good grasp of basic LDAP syntax) but it is extremely beneficial in certain environments. For instance, we use our institution's AD for authentication but have our authorization rules set up on the OID and Oracle accounts for the end-users, giving the ma "single sign-on" experience. Very much worth the effort.
At 5:35 AM, Atul Kumar said…

Thanks for sharing your experience with readers. Its true that its worth knowing LDAP syntax and basics.
At 4:03 PM, Anonymous said…

Hi I feel integrating OID with AD is not a easy task.It is mentioned EAP (External Authentication plugin) can be used for AD-OID sync but I have few issues on this. In my environment I want to establish a single password concept for both thin client and thick client. EAP works good for thin client but does not support thick client. Hence it looks like password filter and server chaining are few options to resolve thick cient issue. Could you please give me an idea whether EAP can be used for both thick and thin client. In my environment the password is in AD and no where. IF EAP can be used then How it can be done?
At 6:51 PM, Atul Kumar said…

Sisir,
We are migrating to http://onLineAppsDBA.com so In future I'll respond on on Line Apps DBA

I have posted your comment at this site and answer as well
http://onlineappsdba.com/index.php/2007/05/09/integrate-oid-with-ad-part-i/

so stay tuned for EAP on that site
At 12:12 PM, Sputmayer said…

Hi Sisir,
I have a small query,
We have AD as an Authenticating server and OID as an Authorization server with synchronization happening between them. The current scenario is that a user gets logged into a Java swing application that runs on client PCs with SSO and authenticated against AD of that Domain controller, This Swing app needs to connect to a few Web Services that we are trying to secure using OWSM but OWSM does not provide any Kerberos token authentication with AD in its current version. Therefore, I am thinking of creating a custom policy step in Java that will do the kerberos token authentication with AD and deploy that step in OWSM using their SDK. This token authentication will actually return me the user credentials which I then use to call the OID for authorization i.e to check if the credentials are valid to call the operations defined in WS. Is there a way if I can directly call OID with the credentials which btw the swing app can also provide me. And configure OID to pass the credentials to AD and then OID actually gives the Authentication and if authentication is succesful then OID executes the authorization step or else throws an error or exception etc. I hope I am making some sense. Just to let you know my knowledge of OID and AD is not that great but I am willing to spend more time if the scenario I have explained can be implemented.
Thanks for that buddy, Appreciate your efforts.
Sandy
At 5:27 AM, Unknown said…

Hi Atul,

Have you tried configuring Windows Native Authentication with OID. Since i have tried to , but metalink analyst has confirmed the KDC is not issuing the tickets.

Sine they dont have support , they are asking me to contact microsoft .

Incase if you had done this setup , can you please tell me what are the pre-requesites on windows 2003 Server Sp1 to be taken .

Regards

Bala
At 4:04 PM, Unknown said…

Hi Atul,
I have done the AD to OID Synchronization with an OID Version 10.1.2, which works fine.

The problem is that in AD there are some thousands of groups that we don't need in OID (the performance gets very bad). I would like the synchronization to only synchronize 15 named Groups. The Oracle Documentation is not very detailed on the search filter. Could you give me a hint on the syntax of the search filter to manage this task?

Thank you very much and regards

Pascal