• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Integrate OID with AD Part I

    Posted by "" in "integration, oid" on 2007-05-09

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    OID (Oracle Internet Directory) is LDAP (Lightweight Directory Access Protocol) Server from Oracle where as AD (Active Directory) is LDAP server from Microsoft. Almost all oracle products (E-Business Suite 11i/R12, Portal, Application Server, Forms & Reports … ) integration with Active Directory is done via OID (OAS component).

    For more information on OID click here .

    http://becomeappsdba.blogspot.com/2007/02/oid-to-oidactive-directoryiplanet-other.html

    Few things to note in Integration of OID with Active Directory
    ————————————————————————
    1. Users can be created in AD and propagated to OID or Vice Versa or can
    be created in both and then synched.

    2. Password for users

    —-2.a) can be stored in AD and not OID(You can authenticate against AD) via External Authentication Plug-in (created in OID)

    2.b) Can be stored at both places AD & OID and synhced regularly

    3. User synchronization between OID and AD (from OID side, both import & export) is done via DIP (Directory Integration & Provisioning ) component of OID

    4. Synchronization of user (to & from) between OID and AD is done by predefined connector (shipped with OIDwhich you can modify/configure as per your need)

    5. Synchronization between AD-OID via above mentioned connector can be one way (import only or export only) or two way (both import and export)

    6. You can synch all or particular attributes of user entry which you wish to configure (this is done via mapping file- More on mapping files coming soon..)

    Configuration Highlights

    1. Synchronization of users between OID & AD happens via synchronization profile (including connect detail, direction of synch, attribute and source & target domain) created during installation of OID.

    2. Three provisioning profile created by default are

    ActiveImport : Importing Changes from MS-AD to OID (DirSyn approach for tracking changes in AD)

    ActiveChgImp : Importing Changes from MS-AD to OID (USNChanged approach for tracking changes in AD )

    ActiveExport : Exporting changes from OID to MS-AD
    (More on DirSyn & USNChanged coming soon with practical examples on which one to choose depending on requirement)

    3. These provisioning profiles can be customized using dipassitant
    (dipassistant -gui) or using LDAP commands (ldapadd or ldapmodify)
    4. If you are synchronizing from AD to OID where AD is multi-domain and global catalog is not configured againt Multi domain AD, then you need
    one synchronization profile per domain for AD but if global catalogue is
    configured you create only one provisioning profile against GC (global
    catalog and not garbage collector); If synchronization is from OID to AD
    (with multiple domain) you need provisioning profile for each domain
    irrespective of global catalog (GC doesn’t play a role in synch for
    Export from OID to AD)
    5. Decide on what information to synchronize and at what location in
    directory information tree to synchronize.

    More on Integrating/synchronizing Oracle Internet Directory (OID) to Microsoft Active Directory (AD) with demo setup coming soon ….

    30 Responses to “Integrate OID with AD Part I”

    1. RyanW says:

      This can be a pretty daunting task at first (especially if you don’t have a good grasp of basic LDAP syntax) but it is extremely beneficial in certain environments. For instance, we use our institution’s AD for authentication but have our authorization rules set up on the OID and Oracle accounts for the end-users, giving the ma “single sign-on” experience. Very much worth the effort.

    2. Atul Kumar says:

      Thanks for sharing your experience with readers. Its true that its worth knowing LDAP syntax and basics.

    3. Atul says:

      Hi I feel integrating OID with AD is not a easy task.It is mentioned EAP (External Authentication plugin) can be used for AD-OID sync but I have few issues on this. In my environment I want to establish a single password concept for both thin client and thick client. EAP works good for thin client but does not support thick client. Hence it looks like password filter and server chaining are few options to resolve thick cient issue. Could you please give me an idea whether EAP can be used for both thick and thin client. In my environment the password is in AD and no where. IF EAP can be used then How it can be done?

      Sisir,
      EAP can be used in OID so that OID on user behalf will do ldapbind and ldapcompare for password in AD or third party directory server.

      Do let me know what kind of think clients (give me an example) you are trying to use for EAP.

      Server chaining for Directory server is available from 10.1.4 OID and not 10.1.2

      I’ll cover EAP in my coming post on this site

    4. bilal says:

      Hi Atul,
      can u guide me configuration for OID and AD integration for our Portal.

    5. amolchawathe says:

      Hi,
      I am having a portal with a numberic login.

      For example : user( 010999)/pass

      I would like to make the username alphanumeric
      ( amolchawathe/password)

      Can you guide me how it can take place either through a change in OID or some kind of a portal API.

      Your inputs would be appreciated.

      Thanks
      Amol

    6. Pravin says:

      Hi Atual,

      Want to understand what could be the use of integrating AD with OID without the use of SSO?

      thanks

      Pravin

    7. cristiano says:

      Hi,
      do the installation of Oracle Password Filter (sync password from OID and AD) modify AD schema or other thing in AD ?

      Thanks,
      i don’t like to modify anything in AD.

    8. Atul Kumar says:

      @ cristiano,
      Password Filter for AD should be installed on AD server .

      Check below link for steps

      http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDEDIIA

    9. cristiano says:

      only to know: i have seen that password filter is a manner to syncronize Active Directory Password in OID, but if you don’t want to store it in OI you can use External Authetnication Plugin (OID).

    10. sagar says:

      Hi Atul,
      We are trying to integrate EDIR and OID 11g.
      Will you please let me know if there is any other way to do it without DIP. Also the requirement is that it should run daily once.

      Thanks & look forward to your valuable reply.

    11. sanjay says:

      Authenticate Portal user using AD

      Question is :
      Would it be possible to authenticate with AD and if user does not exists in AD then authenticate using OID.
      We have more users in OID. Not all users have AD userid /password but they do have account in OID.

      Is it possible to do ?

    12. Atul Kumar says:

      @ Sanjay,
      Which application you are using to authenticate against AD ?

      Check in Active Directory if there is an option to authenticate against OID is user is not available in AD.

    13. Ameet says:

      Hi,

      We are using oracle 10g forms and oracle 10g forms and reports services and MS AD .. how i configure the single password authentication for operating system and forms application.
      Can you please list down the step ..

      Regards
      Ameet

    14. Atul Kumar says:

      @ Ameet,
      I am not sure if directory kereberos authentication is possible in Forms/Reports 10g however to achieve 10g forms/reports with MS-AD for windows native authentication (0 sign-On)

      1. Integrate Forms with 10g SSO (Orcale ASSSO) using http://download.oracle.com/docs/cd/B14099_19/web.1012/b14032/sso.htm

      2. You then integrate 10g SSO (Orcale ASSSO) with Active Directory for kerberos using http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir003.htm#sthref827

    15. Ameet says:

      Thanks Atul for your reply.

      What is better for our env,please give us suggestion ..

      We have already 4 forms application deployed,should i install complete apps server (Infra & Apps) then deployed these four applications and then to proceed for AD sync??

    16. Ameet says:

      DBMS_LADP package is helpful in sync ? can i perform this task with this package without SSO and OID ?

    17. Ameet says:

      Dear Atul,

      I am waiting for your reply .

    18. Atul Kumar says:

      @ Ameet, as far as I know dbms_ldap is used for accessing ldap (OID/AD) data using plsql or from database.

      I know think you can achieve SSO with dbms_ldap , you would eventually need Single Sign-On software.

      Please consult Oracle Support (Forms & Reports Team)

    19. Ameet says:

      OK thanks .. Can you send me the all parts of bi-directional integration b/w OID and MS AD.

      I need sequence of steps to configure sync …

    20. Ameet says:

      thanks alot

    21. Fontin says:

      Hello Amet,

      You wrote :
      – Users can be created in AD and propagated to OID => OK via import profile
      – or Vice Versa => OK via export profile
      – or can be created in both and then synched => that what I want to do, but DIP returns ldap error 65 and cann’t synchronize users
      How can I do it ?

      Thanks in advance
      Fontin

    22. Atul Kumar says:

      @ Fontin,

      Paste exact error from DIP.

      Did you configure DIP synchronisation profile using EM (assuming this is OID 11g )

      check this

      http://docs.oracle.com/cd/E21764_01/oid.1111/e10031/odip_actdir.htm#CHDBBAII

    23. Mario says:

      Hi! first all congratulations for your blog!

      I need some help about sync password from AD to OID.

      I don’t know what software I will need…

      ¿Can you help me sending a list of the necesary software?

      I’m using 11g Middleware

      Thank you a lot!

      • Atul Kumar says:

        @Mario, do you really need to keep password at two places ? If I am you I would use password plug-in feature of OiD where OID can contact AD for password validation.

        If you still want to sync password then use DIP directory integration platform. Do let me know if you need more information or documentation link

    24. Mario says:

      @Atul Kumar

      Scenario:

      1 server with AD 2008 R2 (isval.lab)
      1 server with OID 11g (oidval.is)

      Actually I can sync users from isval.lab to oidval.is but the password is empty so i need to sync the password from AD.

      I know that need SSL connection between Windows Server and OID, and password filter on 2008.

      I have configure the SSL connection and in windows I was trusted the connection by using ldapbindssl.exe and got Bind Succefull.

      But the passwords are not synchronized, and I don’t know what i’m doing wrong…

    25. Atul Kumar says:

      @ Mario,
      Password sync should work using DIP. if this is not working then check synchronization mapping and verify that password attribute is also part of this AD-OID sync. Enable debug in synchronization profile or raise an Service Request with Oracle support.

      Check

      http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_actdir.htm#CHDIGDEH

      and

      http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_config_integration.htm#BABBFAAJ

      and

      http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDBIIJC

    26. Mario says:

      @Atul Kumar

      Hi Atul!

      I’ve reinstalled all, at this moment we have:

      All software up and running.

      And the SSl configuration was:

      1.Create wallet with self signed cert
      2.Configure OID in mode SSL 2
      3.Check SSL Config with odsm (created connection with SSL and Works fine)
      4.Change password policies
      5.Export Certificate (oid.cer)
      6.Import oid.cer on a new keystore
      7.Config DIP for work in SSL 2 Mode (works fine)
      8.Import oid.cer on Windows 2008 server
      9.Create windows 2008 server cert (self signed too)
      10.Import Windows Cert on keystore
      11.Test connectivity between DIP and W2K8 by port number 636 of AD (works fine)
      12.Create Sync Profile with SSL (test connection succesful and Sync Users Too)
      13.Install Password filter on W2k8
      14.Change password on users already sync (password is not sync)
      15.Edit sync map (user->userpassword – interorgperson -> userpassword)
      16.Reset password on AD user
      17.DIP shows new succefull change (but password is not sync)

      What am I doing wrong?

    27. srshukla3 says:

      Hi Atul,

      I have configured EAP in OID to authenticate from AD. I do not want to synch from AD. I checked the ldap_bin_ad and ldap_compare_ad plugin is configured properly but still the EAP is not working, it says invalid credential.

      Can you please help me where can i check if anything is wrong or do i need to configure OID-AD sych (import/export)before EAP ?

      Regards
      Santosh

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP