How to configure OID AD integration (user/group synchronization) using DIP ?

Directory Integration Platform (DIP) 11g is a java application deployed on WebLogic server and used for user synchronization between OID and other LDAP Servers (AD, IBM Directory Server..) or provisioning between OID and applications (Portal, Collaboration Suite …).

  • For more information on DIP Synchronization and provisioning click here
  • To configure DIP & OID on different machine click here

In this post I am going to cover steps to integrate Oracle Internet Directory with Microsoft Active Directory using DIP.
Assumptions:

1. OID & DIP are already installed and configured (OID 11g LDAP Port 3060, LDAPS Port 3131, wls_ods1 (DIP & ODSM) is running on 7005 and WebLogic Admin Server is running on Port 7001)

2. Microsoft Active Directory is installed and listening on 389 (non ssl) port.

You can use either command line tool (expressSyncSetup) or Graphical User Interface (Fusion Middleware Control /em)

.

Integrate OID & AD (User/Group synchronization) via DIP using GUI

1. Login to Enterprise Middleware Control   http://server:weblogic_admin_port/em   (Admin Server on WebLogic should be running)

2. From left panel, expand Farm_[domain_name] -> Identity And Access -> DIP (11.1.1.X)   (wls_ods1 managed server on WebLogic should be running to access this)

3. From DIP Server drop down menu (on right panel) -> Administration -> Synchronization Profiles

4.  Click on Create button and enter

Profile Name : Name of this synchronization profile
Direction of Synchronization – Use DIP-OID as? Source (for OID to AD ) or Destination (AD to OID)
Type : Active Directory (MS)  – Select different LDAP server if you want to synchronization OID from different LDAP server.
Host: Hostname or IP of machine where Active Directory is running.
Port: LDAP server port (636 in my case as AD port)
SSL Settings: Check enabled if you are using SSL ldap port (JKS & CSF should be configured – more on this coming soon)
User Name : username of AD server
Password : password of AD user to connect

5. Click on Test Connection to check if DIP can connect to Active Directory (AD) Server

6. Once test is successful click on OK to save synchronization profile.

Click on

  • Mapping (if you wish to configure any mapping rules or exclusion list at domain level or attribute level)
  • Filtering (If you wish to filter synchronization based on rules at source or target ldap server OID or AD)
  • Advanced (Change Frequency of synchronization schedule or log level)

7. Click on Enable Profile to enable this profile.

.

Key points for OID-AD integration using DIP

1. Synchronization profile is executed every one minute (configurable option) via Quartz scheduler (DIP component).

2. By default AD to OID synchronization uses uSNChanged . More information on uSNChanged or DirSync here

3. To change synchronization profile from uSNChanged  to DirSync click here

manageSyncProfiles update -h host -p port -D WLS_login_ID -pf Profile_Name
-params “odip.profile.configfile $ORACLE_HOME/ldap/odi/conf/activeimp.cfg.master”

4. If you planning to configure Filtering in DIP check Bug 9294314: SEARCHFILTER NOT WORKING ON 11.1.1.1.0 AND 11.1.1.2.

Workaround:
a. For synchronization , use filter in format of searchfilter=”abc”   (double quotes)
b. For bootstrap, user filter in format of searchfilter=abc  (without double quotes)

5. Logs of DIP are available at $DOMAIN_HOME/servers/wls_ods1/logs (Where domain_home is location of WebLogic Domain) and at

$ORACLE_INSTANCE/diagnostics/logs/OID/oid1 (Where ORACLE_INSTANCE is OID instance directory)

 

References/Related

Did you get a chance to download Free Guide related to EBS-LOAM? If not, download it here http://k21academy.com/ebs-oam-integration-free-guide

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

16 comments
csk says August 20, 2011

Hi Atul,

One of our client want to upgrade their custom application from Oracle Forms and Reports 10g(9.0.4) to Oracle Fusion Middleware (FMW) 11g and Oracle 9i Database to Oracle Database 11gR2.
They want to implement Oracle FMW Single Sign integrated with MS Active Directory.

Can we implement this solution with only Oracle FMW 11g without any additional software like OID,EUS,OVD etc.

Thanks
CSK.

Reply
Atul Kumar says August 25, 2011

@csk,
For forms type FMW 11g application, OID is mandatory for SSO (OVD & EUS is not required)

For other FMW (webcenter, obiee) can be configured with SSO using AD directly (without OID).

OVD & EUS is not mandatory for any FMW application.

Oracle Access Manager (OAM) is recommended SSO in fusion middleware.

Reply
csk says August 27, 2011

Thanks Atul.

Reply
Harinadh says June 28, 2012

Dear Atul,
Is there any process to acheive the Oracle Single Sign on with the application running on Apache 2.2 and tomcat 6 using the OID. (With out using the OHS).

Thanks & Regards,
Hariandh.

Reply
lou73 says July 25, 2012

Hi,
if AD(1) is trusted on another AD(2) DIP is able to synch all the user AD(1) + AD(2) ?

thx
Lou

Reply
Mamta says August 29, 2012

Our present configuration is EBS 11.5.10.2 with sso/OID 9.0.4.3

We need to upgrade the OID to latest version 10.1.4.0.1 (which is certified with 11.5.10.2) integrated with MS-LDAP and EBS 11.5.10.2.

Please guide the high level steps.I have logged the SR but they say go through the below document but look little confusing.

http://docs.oracle.com/cd/B28196_01/getstart.htm

Appreciate your valuable inputs.

Thanks,
MR

Reply
sunil sharma says May 23, 2013

Hi,
We have one system says hr system which take care of entering all the user information. Once it submit that information it goes to oid. Now we want that when we import all that user from oid to active directory it didn’t duplicate any user as well as depending on their role it should create groups dynamically in active directory. For e.g: If user belong to Trainee category or manager category it must create Trainee group & Manager group & respective person should go into that group. I don’t know whether my question is placed in right group or not. Any help will be appreciated.

Thanks,
Sonya Sharma

Reply
Luis Felipe says August 2, 2013

Hi. Thanks for tutorial. I create DIP profile for synchronize with AD. But in oid only four users availiable some users. Others hundred users not synchronize and DIP logs show erros :

DIP-10007: error in mapping mechanism WSBD_AD
DIP-10008: error in executing the thread Agent: WSBD_AD
DIP-10219: error in mapping mechanism WSBD_AD

Please help me

Reply
Somnath says June 6, 2014

HI Atul,

I was wondering about the below line you mentioned…
“Direction of Synchronization – Use DIP-OID as? Source (for OID to AD ) or Destination (AD to OID)”, this sound more logical but the below link says just the opposite.
http://docs.oracle.com/cd/E21764_01/oid.1111/e10031/odip_adm_sync.htm#i115567
I am new to OID, DIP so bit confused, can you please confirm which is correct.

Thanks,
Som

Reply
Somnath says June 9, 2014

Hi Atul,

Did you get a chance to check my post, please reply. I am actually stuck as I don’t have any environment to test this thing.

Thanks in Advance.

Regards,
Som.

Reply
alirazaidi says August 12, 2014

hi,
this is nice blog. I am learning so much from this .

I have configured AD TO OID sync by following this post but i am not able to get AD group information for the users in OID.

Can you please explain how i can ged group information for the users in AD to OID.

Regards,
ali raza
alirazaidi@hotmail.com

Reply
Gopal says November 15, 2014

we are using Oracle Apps R12.1.3 and the Microsoft Active Directory : Windows 2008 R2

we have the following requirement:

(1)From Oracle Apps to Active Directory.

-Employee master information needs to be interfaced to Active Directory on a regular interval which should be updated in the active directory.

(2)From Active Directory to Oracle system.

-Whenever new email address for an employee is created in Active directory, the information needs to flow to Oracle HRMS.

Please let us know the method to achieve with minimal latest oracle softwares?

Regards
gopal

Reply
vic says March 2, 2015

How do password hashes in AD, get deciphered by OID, when configuring EBS integration with AD, without WNA, using DIP as you have illustrated above? How does OID know, what hashing algorithm is being used in AD?

Reply
Anil says October 5, 2015

OU=Programming,OU=Data Center,OU=DEPARTMENT,OU=MOH,DC=moh,DC=gov,DC=kw

Reply
AD says July 21, 2016

is there anyway we can map AD account status (useraccountcontrol) to orclisenabled attribute in OID ?

Reply
Enio says September 27, 2017

Hi,
is possible create a mapping to sync only active users from AD ?
If yes, how can i do that?
Thank you,
Enio

Reply
Add Your Reply

Not found