Title
Configure OID 10g Connector to bi-directionally synchronize with Sun Directory Server 5.2

Date
2005-10-20

Summary
This document describes how to configure OID 10g Connector to bi-directionally synchronize with Sun Directory Server. Inserting, updating, or deleting entries on one LDAP server should automatically be synchronized to the other.

Please note the following:
  • Failover testing did not perform satisfactorily in this configuration.
  • The steps have been configured and tested against a single-node installation.
Assumptions
Please note the following assumptions in this note:
  • References to <sunserver>, <oidserver>, <password_dm>, and <password_oid> refer to the Sun Directory Server hostname, OID hostname, Sun Directory Server password, and OID password respectively.
  • The Sun Directory Server port number is 389 while the Oracle Internet Directory Server port number is 3060.
  • The source-of-truth in this configuration is OID.
  • The DN on OID is ou=People,o=thisisahmed.com,cn=subscribers.
  • The DN on Sun Directory Server is dc=target,dc=local,dc=com.
Details
1. Sun Directory Server configuration

a. Log on to the Sun Directory Server console.

b. Enable changelogging on Sun Directory Server:

To verify if changelogging is enabled, run the ldapsearch command below to obtain the last change number on Iplanet: 
ldapsearch -p 389 -h <sunserver> -D "cn=Directory Manager" -w "<password_dm>" -b "" -s base "objectclass=*" lastchangenumber

If you do not get a value, then changelogging may not be enabled. To enable changelogging on Iplanet 5.1, perform the following (this must be repeated on all LDAP servers):
    i. Run the Directory Console by running the startconsole command.

    ii. Log in using cn=Directory Manager, <password_dm>, and http://<hostname>:390.

    iii. Navigate to Server Group -> Directory Server -> Open (button) -> Configuration (tab) -> Plugins -> Retro Change Log Plugin.

    iv. Click on Enable plug-in and click on the Save button.

    v. Restart the Sun Directory Server by running the commands: 
    stop-slapd
start-slapd

    vi. Rerun the ldapsearch command to verify the last change number:
    ldapsearch -p 389 -h <sunserver> -D "cn=Directory Manager" -w "<password_dm>" -b "" -s base "objectclass=*" lastchangenumber
2. Sun Directory Server verification

a. Log on to the OID server.

b. Confirm connectivity from the OID server(s) to the Sun Directory Server's load balanced URL: 
ldapbind -p 389 -h <sunserver> -D "cn=Directory Manager" -w "<password_dm>"

c. Determine naming contexts on Directory Server: 
ldapsearch -p 389 -h <sunserver> -D "cn=Directory Manager" -w "<password_dm>" -b "" -s base "objectclass=*" namingcontexts

d. Verify that you can read the container of the directory entries you wish to synch: 
ldapsearch -p 389 -h <sunserver> -D "cn=Directory Manager" -w "<password_dm>" -b "dc=satx,dc=disa,dc=mil" -s base "objectclass=*"

3. OID verification

a. Log on to the OID server.

b. Identify the default identity management realm in OID: 
ldapsearch -p 3060 -h <oidserver> -D "cn=orcladmin" -w "<password_oid>" -b "cn=common,cn=products,cn=oraclecontext" -s base "objectclass=*" orcldefaultsubscriber

c. Identify the user and group search contexts in OID (Why? Where is this used?): 
ldapsearch -p 3060 -h <oidserver> -D "cn=orcladmin" -w "<password_oid>" -b "ou=People,o=thisisahmed.com,cn=subscribers,cn=common,cn=products,cn=oraclecontext" -s base "objectclass=*" | grep orclcommonusersearchbase

4. OID configuration

a. Confirm the default identity realm, and change if necessary:
    i. Navigate to Entry Management -> cn=OracleContext -> cn=Products -> cn=Common.

    ii. If not set, or set to a different value, set the orcldefaultsubscriber attribute to o=thisisahmed.com,cn=subscribers.
b. Create the 2 mapping files below and place them in $ORACLE_HOME/ldap/odi/conf:
    sunDMexport.map.master (for exports):

    DomainRules
    ou=People,o=thisisahmed.com,cn=subscribers:dc=target,dc=local,dc=com
    AttributeRules
    uid:1: :person: uid: :inetOrgperson
    sn: : :person:sn: :person
    cn: : :person:cn: :person
    givenname: :inetOrgPerson: givenname: :inetOrgPerson
    userpassword: : :person: userpassword: :person
    sunDMimport.map.master (for imports):

    DomainRules
    dc=target,dc=local,dc=com:ou=People,o=thisisahmed.com,cn=subscribers
    AttributeRules
    uid:1: :person: uid: :inetOrgperson
    sn: : :person:sn: :person
    cn: : :person:cn: :person
    givenname: :inetOrgPerson: givenname: :inetOrgPerson
    userpassword: : :person: userpassword: :person
    uid: : :person: orclisVisible: :orclUserV2:"True"
c. Run basic mapping: 
$ORACLE_HOME/ldap/odi/admin/iplanetconfig.sh -oidport 3060

When prompted, answer the questions using the answers provided below:
    Enter OID superuser DN: cn=orcladmin
    Enter OID superuser password: password_oid
     #########################################################
    Configuring IPlanet Directory connection details
    #########################################################
    Enter IPlanet Directory connection URL (host:port): sunserver:389
    Enter IPlanet Directory privileged user DN to be used for synchronization: cn=Directory Manager
    Enter IPlanet Directory privileged user password: password_dm
    #########################################################
    Configuring domain-level mapping rules
    #########################################################
    Enter the DN of the domain in IPlanet Directory to be synchronized: dc=target,dc=local,dc=com
     Enter the DN of the domain in OID where users need to be synchronized: ou=People,o=thisisahmed.com,cn=subscribers
d. Obtain the last change number on OID:
ldapsearch -p 3060 -h <oidserver> -D "cn=orcladmin" -w "<password_oid>" -b "" -s base "objectclass=*" lastchangenumber

e. Run ldapUploadAgentFile.sh to update the mapping information to the profile: 
$ORACLE_HOME/ldap/odi/admin/ldapUploadAgentFile.sh -name IplanetExport -config 1 -LDAPhost <oidserver> -LDAPport 3060 -binddn "cn=orcladmin" -bindpass "<password_oid>" -attrtype "MAP" -filename "/u01/app/oracle/product/10.1.2/orainfra/ldap/odi/conf/sunDMexport.map.master"
$ORACLE_HOME/ldap/odi/admin/ldapUploadAgentFile.sh -name IplanetImport -config 1 -LDAPhost <oidserver> -LDAPport 3060 -binddn "cn=orcladmin" -bindpass "<password_dm>" -attrtype "MAP" -filename "/u01/app/oracle/product/10.1.2/orainfra/ldap/odi/conf/sunDMimport.map.master"

5. OID initial import

a. Enable the Import profile (IplanetImport):
    i. Navigate to Server Management -> Integration Services -> Configset 1 -> IplanetImport.

    ii. Update the PROFILE STATUS and set to Enable.

    iii. Update the CONNECTED DIRECTORY ACCOUNT and PASSWORD to cn=Directory Manager and <password_dm>.

    iv. Update the CONNECTED DIRECTORY URL to <sunserver>:389.

    v. Update the OID MATCHING FILTER to orclobjectguid.
b. Bootstrap existing users from Iplanet to OID: 
dipassistant bootstrap -port 3060 -profile IplanetImport -dn cn=orcladmin -passwd <password_oid>

c. In OID Admin:
    i. Navigate to IplanetImport profile -> REFRESH button -> IplanetImport profile -> STATUS (tab).

    ii. See the LAST APPLIED CHANGE NUMBER, and it should be same as that set by the bootstrap process.
6. OID initial export

a. Enable the Export profile (IplanetExport):
    i. Navigate to Server Management --> Integration Services --> Configset 1.

    ii. Update the PROFILE STATUS and set to Enable.

    iii. Update the CONNECTED DIRECTORY ACCOUNT and PASSWORD to cn=Directory Manager and <password_dm>.

    iv. Update the CONNECTED DIRECTORY URL to <sunserver>:389.

    v. Update the OID MATCHING FILTER to orclobjectguid.

    vi. Update the OID LAST APPLIED CHANGE NUMBER with the value from the Import change number.

    vii. Update the CONNECTED DIRECTORY MATCHING FILTER to prevent unnecessary round trip syncs if using both imp/exp: 
    modifiersname != orclodipagentname=iplanetimport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
b. Update the last change number for synchronization (Is this step needed?): 
dipassistant mp -profile IplanetExport -updlcn -p 3060

c. Register (re-register) the DIP: 
odisrvreg -D cn=orcladmin -w <password_oid> -h <oidserver> -p 3060

d. Start the Directory Integration server (debugging set on for troubleshooting): 
oidctl server=odisrv instance=1 configset=1 stop
oidctl server=odisrv instance=1 configset=1 flags="debug=63 port=3060" start

e. Add a record to both Sun/OID and the records should be synchronized.

6. Other information

Download DIPTESTER from OTN for configuration/testing/debugging:
    http://otn.oracle.com/sample_code/products/oid/index.html
    http://eclinux.us.oracle.com/diptester.tar
Other tasks worth noting:
  • Disable password expiry
  • Enable similar hashing techniques
  • Configured Access Control Lists (see 42-9 Task 2)
Applicable Versions
Oracle Internet Directory 10g (10.1.2)
Sun Java Enterprise System (JES) Directory Server 5.2
Ahmed Aboulnaga
.com .com