35
Synchronization with Third-Party Metadirectory Solutions

Oracle Internet Directory uses change logs to enable synchronization with supported third party metadirectory solutions. This chapter describes how change log information is generated and how supporting solutions use that information. It tells you how to enable the directory integration agents of third-party metadirectory solutions so that they can synchronize with Oracle Internet Directory.

This chapter contains these topics:

About Change Logs

Oracle Internet Directory records each change as an entry in the change log container. A directory integration agent for the third-party directory retrieves changes from the change log container and applies them to the third-party directory. To retrieve these changes, the agent must subscribe to the Oracle Internet Directory change logs.

Each entry in the change log store has a change number. The agent keeps track of the number of the last change it applied, and it retrieves from Oracle Internet Directory only those changes with numbers greater than the last change it applied. For example, if the last change an agent retrieved had a number of 250, then subsequent changes it retrieves would have numbers greater than 250.

From the standpoint of the Oracle Directory Integration platform, the agent for the third-party metadirectory solution is an external agent--that is, the Oracle directory integration server does not provide mapping or scheduling services for it.

Note:

If an agent is not subscribed to the Oracle Internet Directory change logs, and the first change it retrieves is more than one number higher than the last change it last applied, then some of the changes in the Oracle Internet Directory change log have been purged. In this case, the agent must read the entire Oracle Internet Directory to synchronize its copy with that in Oracle Internet Directory.

See Also:

"About Connectors and Directory Integration Profiles" for a conceptual discussion of directory integration agents, including external agents

Enabling External Agents to Synchronize with Oracle Internet Directory

To enable external agents to retrieve changes from Oracle Internet Directory, perform the tasks described in this section.

Task 1: Perform Initial Bootstrapping

To bootstrap a directory to synchronize data between a local directory and Oracle Internet Directory, do the following:

Find the number of the last change recorded in Oracle Internet Directory. This number is contained in the DSE root attribute, lastChangeNumber.

To find the number of the last change recorded in Oracle Internet Directory, use ldapsearch. Enter the following command:
```
ldapsearch -h host_name -p port_number -s base -b "" 'objectclass=*' 
lastchangenumber
```
If the change log does not contain change entries because they have been purged, then the last change number retrieved is 0 (zero).
Use ldifwrite to export data from Oracle Internet Directory into an LDIF file.

Convert the LDIF file to a format suitable to the client directory, then load it into the client directory.

Note:

Initial bootstrapping is not required with a new installation of Oracle Internet Directory. In this case, the current change number of the newly installed Oracle Internet Directory is 0 (zero).

See Also:

"ldifwrite Syntax" for instructions on using ldifwrite

Task 2: Create a Change Subscription Object in Oracle Internet Directory for the External Agent

To enable an external agent to synchronize with Oracle Internet Directory, you must create a change subscription object for it in Oracle Internet Directory. This gives the agent access to change log objects stored in Oracle Internet Directory.

About the Change Subscription Object

The change subscription object is an entry located under the following container in Oracle Internet Directory:

cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=Oracle Internet Directory

This change subscription object provides a unique credential for an external agent to bind with Oracle Internet Directory and to retrieve changes from it. You associate the change subscription object with the auxiliary object class orclChangeSubscriber. This object class has several attributes, of which the following are mandatory:

userPassword

Password to be used by the directory when accessing the change log object in Oracle Internet Directory
orclLastAppliedChangeNumber

Number of the change applied during the last synchronization. This attribute allows the directory to retrieve only the changes in Oracle Internet Directory it has not already applied.
orclSubscriberDisable

Flag indicating whether the subscription of the external agent is enabled or disabled. A value of 1 indicates that it is disabled, and a value of 0 indicates that it is enabled.

Creating a Change Subscription Object

To create a change subscription object, use ldapadd. The following example uses an input file, named add.ldif, to create and enable a change subscription object, named my_change_subscription_object, under the container
cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=Oracle Internet Directory. The orclLastAppliedChangeNumber is the current change number in the directory before initial bootstrapping--in this example, 250.

Edit file add.ldif:

dn: cn=my_change_subscription_object,cn=Subscriber Profile,cn=ChangeLog 
Subscriber,cn=Oracle Internet Directory
userpassword: my_password
orclLastAppliedChangeNumber: 250
orclSubscriberDisable: 0
objectclass: orclChangeSubscriber
objectclass: top

Add the entry:
```
ldapadd -h my_host -p 389 -f add.ldif
```
See Also:
"Disabling and Deleting Change Subscription Objects" for instructions on temporarily disabling change subscription objects or deleting them altogether

Task 3: Grant External Agents Access to the Oracle Internet Directory Change Log Object Container

Once you have created a change subscription object, you must grant it read access to the cn=changeLog entry in Oracle Internet Directory. You do this by adding it to the following group entry: cn=odipgroup,cn=odi,cn=Oracle Internet Directory.

The following example uses a file, named add_to_group.ldif, to add the entry created in the previous examples, namely, my_change_subscription_object, to this group entry cn=odipgroup,cn=odi,cn=Oracle Internet Directory.

Edit the file add_to_group.ldif

dn: cn=odipgroup,cn=odi,cn=Oracle Internet Directory
changetype: modify
add: uniqueMember
uniqueMember: cn=my_change_subscription_object,cn=Subscriber Profile,

                cn=ChangeLog Subscriber,cn=Oracle Internet Directory

Modify the entry:

ldapmodify -h my_ldap_host -p 389 -v -f add_to_group.ldif

The Synchronization Process

This section contains these topics:

How a Connected Directory Retrieves Changes the First Time from Oracle Internet Directory

In this example, a connected directory with a change subscription object named my_change_subscription_object acquires changes from Oracle Internet Directory.

ldapsearch -h my_host -p 389 -b "cn=changeLog" -s one  

(&(objectclass=changeLogEntry)  

(changeNumber >= orclLastAppliedChangeNumber ) 

( ! (modifiersname =cn=my_change_subscription_object,cn=Subscriber Profile,

     cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )

When the directory is retrieving changes for the first time, the value for orclLastAppliedChangeNumber is the number you set in "Task 2: Create a Change Subscription Object in Oracle Internet Directory for the External Agent".

The argument (!(modifiersname=client_bind_dn)) in the filter ensures that Oracle Internet Directory does not return changes made by the connected directory itself.

How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory

After retrieving changes from Oracle Internet Directory, the connected directory updates the orclLastAppliedChangeNumber attribute in its change subscription object in Oracle Internet Directory. This allows Oracle Internet Directory to purge changes that connected directories have already applied. It also enables the connected directory to retrieve only the most recent changes, ignoring those it has already applied.

This example uses an input file, mod.ldif, in which the connected directory has a change subscription object named my_change_subscription_object, and the last applied change number is 121. The connected directory updates orclLastAppliedChangeNumber in its change subscription object in Oracle Internet Directory as follows:

Edit mod.ldif:

dn: cn=my_change_subscription_object,cn=Subscriber Profile,

    cn=ChangeLog Subscriber,cn=Oracle Internet Directory
changetype:modify
replace: orclLastAppliedChangeNumber
orclLastAppliedChangeNumber: 121

Use ldapmodify to load the edited mod.ldif file:
```
ldapmodify -h host -p port -f mod.ldif
```

See Also:

"Change Log Purging" for information about purging changes according to change numbers

Disabling and Deleting Change Subscription Objects

You can temporarily disable an existing change subscription object, or delete it altogether. This section contains these topics:

Disabling a Change Subscription Object

If a change subscription object already exists for an agent, but you want to disable it temporarily, then set the orclSubscriberDisable attribute to 1. The following example uses an input file, mod.ldif, to disable a change subscription object.

Edit file mod.ldif:

dn: cn=my_change_subscription_object,cn=Subscriber Profile,

    cn=ChangeLog Subscriber,cn=Oracle Internet Directory
changetype: modify
replace: orclSubscriberDisable
orclSubscriberDisable: 1