Oracle Internet Directory Administrator's Guide Release 9.0.2 Part Number A95192-01 |
|
This chapter introduces the Oracle Directory Integration platform: its components, structure, and administration tools.
This chapter contains these topics:
The Oracle Directory Integration platform enables an enterprise to integrate its applications and other directories with Oracle Internet Directory. This platform provides all the interfaces and infrastructure necessary to keep the data in Oracle Internet Directory consistent with the data in enterprise applications and connected directories.
For example, an enterprise might want employee records in its Oracle Human Resources database to be synchronized with Oracle Internet Directory. In addition, the enterprise may deploy certain LDAP-enabled applications (such as Oracle9iAS Portal) that need to be notified whenever changes are applied to Oracle Internet Directory. This service is called provisioning, and the Oracle Directory Integration platform provides such applications with the necessary notifications.
Based on the nature of integration, the Oracle Directory Integration platform provides two distinct services:
These services are described and illustrated in later sections.
Using Oracle Internet Directory as the central repository for diverse LDAP-enabled applications and connected directories can greatly reduce your time and resource costs for administration. To realize these benefits, however, requires the services described above, which ensure that these connected entities reliably receive (and provide) the necessary information. The following scenarios, two for synchronization and two for provisioning, illustrate how these needs may arise and be met:
Figure 28-1 shows the structure of the Oracle Directory Integration platform:
The sections that follow describe each component and its relation to the rest of the Oracle Directory Integration platform.
Provisioning notifies applications of changes to user or group entries or attributes that the application needs to track. Synchronization deals with directories rather than applications, ensuring the consistency of entries and attributes that reside in both Oracle Internet Directory and other connected directories.
This section contains these topics:
Provisioning is the service you need when you are designing or installing an application that
The goal of provisioning is to ensure that the application is notified of changes to user or group information. Such changes can affect whether the application allows a user access to its processes and which resources can be used.
A provisioning integration profile must be created during the application's installation. The Provisioning Subscription tool enables you to specify the necessary information and then creates that profile.
You choose synchronization to coordinate changes among Oracle Internet Directory and connected directories. The goal of synchronization is to share and make consistent any change to directory information, including data elements other than a user's name, group memberships, or privileges. For all directories to both use and provide only the latest data, every directory must be informed of each such change made in any connected directory.
Whenever you decide to connect a directory to Oracle Internet Directory, a synchronization profile must then be created for that specific directory. It specifies the format and content of the notifications exchanged between Oracle Internet Directory and the directory to be connected.
Provisioning and synchronization have important operational differences. Critical actions must be taken at different times. Different maintenance effort levels are required. Communication differs in being one-way or two-way, and the types of data to be handled are different. Table 28-1 provides a brief tabular format for these primary distinctions.
In the Oracle Directory Integration platform environment, connected directories are those whose contents are synchronized with Oracle Internet Directory through the Oracle Directory Synchronization Service.
Oracle Internet Directory is the central directory for all information, with which all other directories are synchronized. This synchronization can be bidirectional: changes in Oracle Internet Directory can be exported to connected directories, and changes in connected directories can be imported into Oracle Internet Directory. However, some connected directories (such as Oracle Human Resources) do not receive changes from Oracle Internet Directory, though they supply changes to Oracle Internet Directory. Selective attributes can be targeted (or ignored) by the synchronization service. For example, employee badge numbers appear in Oracle Human Resources but have no relevance to Oracle Internet Directory or its connected directories or client applications. On the other hand, employee id number does have relevance or utility, and does get synchronized by the service.
The central mechanism triggering all such synchronization activities is the Change Log. Every change to any connected directory, including Oracle Internet Directory, is reflected by one or more entries in the Change Log. The Directory Synchronization Service checks the Change Log periodically, taking action whenever a change corresponds to one or more Synchronization Profiles. The service then supplies the appropriate change to all other connected directories whose individual Profiles correspond to the logged change.
Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Exchange, or Lotus Notes. Synchronization through Oracle Directory Integration connectors ensures that Oracle Internet Directory remains up-to-date with all information that Oracle Internet Directory clients need it to have.
The provisioning integration service requires a Provisioning Profile for each application that is to be notified of changes in user or group information. Each Provisioning Profile uniquely identifies the application and organization to which it applies, and specifies the users, groups, and operations requiring the application to be notified. The Profile must be created when the application is installed, using the Subscription Tool described in Chapter A, "Syntax for LDIF and Command-Line Tools".
When changes are made in Oracle Internet Directory that match an application's Provisioning Profile, the Provisioning Integration Service sends the relevant data to that application, such as Oracle9iAS Portal.
The term "legacy application" means one already operational before this Service was installed, and therefore one that has not subscribed in the usual way, during installation. To enable such an application to receive provisioning information by means of the provisioning integration service, a Provisioning Agent must be developed in addition to the Provisioning Profile. The agent must be specifically designed and built to translate the relevant data taken from Oracle Internet Directory into the exact format required by the legacy application.
Figure 28-3 illustrates these interactions, including the special case of a provisioning agent used for a legacy application.
See Also:
Chapter 36, "The Oracle Directory Provisioning Integration Service" for more details about the Oracle Provisioning Integration Service |
The Oracle Directory Integration Server is the multithreaded server process consisting of the two services described above: the Oracle Directory Synchronization Service and the Oracle Provisioning Integration Service.
The Oracle Directory Integration Server performs the following functions for the Oracle Directory Synchronization Service:
For the provisioning integration service, the Oracle Directory Integration Server performs the following functions:
The directory integration toolkit allows third party vendors and developers to integrate their solutions with the Oracle Directory Integration platform environment. Such vendors can include providers of metadirectories and provisioning solutions. The toolkit also allows application vendors whose products are based on or use the Oracle technology to integrate provisioning of their users and groups with Oracle Internet Directory.
The toolkit describes the following interfaces, tools, and procedures:
This section contains these topics:
Oracle Directory Manager, a Java-based graphical user interface tool, enables you to administer the Oracle Directory Integration platform. Specifically, it enables you to:
OID Control and OID Monitor enable you to start, stop, and monitor the Oracle directory integration server.
In Oracle Internet Directory, you can use OID Control and OID Monitor to control the directory integration server in the ORACLE_HOME where either the Oracle directory server or the Oracle directory integration server are installed. If Oracle Internet Directory installation is client-only, then the OID Control utility and OID Monitor are not installed. In this case, start the Oracle directory integration server manually. In this configuration you can still use Oracle Directory Manager to learn the status of the Oracle directory integration server.
Oracle Enterprise Manager can be used to monitor the status of various integration profiles. This integrated, comprehensive systems management platform combines a graphical console, agents, common services, and tools to aid you in scheduling, monitoring, and administering your heterogeneous environment.
For more details, please refer to the Oracle Enterprise Manager Concepts Guide, the Oracle Enterprise Manager Administrator's Guide, or the Oracle Enterprise Manager online help.
This section describes a deployment in which the Oracle Directory Integration platform is used for integrating various applications in the enterprise. This enterprise has the following components:
The enterprise has the following functional requirements:
Figure 28-4 illustrates the various components and their relationships to each other:
Figure 28-4 illustrates the following factors:
The sections that follow describe the flow of information during user creation, modification, and deletion, thereby illustrating the various capabilities of the Oracle Directory Integration platform.
Based on the requirements specified by the deployment, all users are created in Oracle Human Resources. It is the responsibility of the Oracle Directory Integration platform to propagate new user records to all other repositories in the enterprise. Figure 28-5 illustrates the various interactions that help the Oracle Directory Integration platform complete this task:
Figure 28-5 shows the creation of a new user in Oracle Human Resources, which causes an entry for that user to be created in Oracle Internet Directory and the iPlanet directory servers. It also shows the process of provisioning the user to access Oracle9iAS Portal and Oracle Internet File System deployed in the enterprise. User creation and provisioning happen in the following manner:
Note that the Oracle Directory Integration platform does not directly notify Oracle9iAS Portal or Oracle Internet File System about new users. This is because not all users created in Oracle Human Resources need access to all services. In this case, the deployment must explicitly provision the users to use these services, as in steps 5 & 6.
Based on the requirements of the deployment, any modification to user properties must be communicated to all components interested in such changes. Figure 28-6 illustrates the actions the Oracle Directory Integration platform takes to meet this requirement.
Figure 28-6 shows the process by which Oracle Directory Integration platform communicates the modification of user properties to all systems in the enterprise. The process contains the following sequence of events:
In this example, the enterprise requires that a user being deleted or terminated in Oracle Human Resources should be automatically be denied access to all enterprise resources that are based on the directory service. The following figure shows the flow of events during the deletion of users:
As Figure 28-7 shows, the process by which Oracle Directory Integration platform communicates the deletion of users to all systems in the enterprise contains the following sequence of events:
Once all of the steps indicated above are completed, a deleted user in Oracle Human Resources can no longer access any corporate services like Oracle9iAS Portal or Oracle Internet File System.
|
Copyright © 1999, 2002 Oracle Corporation. All Rights Reserved. |
|