28
Oracle Directory Integration Platform Concepts and Components

This chapter introduces the Oracle Directory Integration platform: its components, structure, and administration tools.

This chapter contains these topics:

What Is the Oracle Directory Integration Platform?

The Oracle Directory Integration platform enables an enterprise to integrate its applications and other directories with Oracle Internet Directory. This platform provides all the interfaces and infrastructure necessary to keep the data in Oracle Internet Directory consistent with the data in enterprise applications and connected directories.

For example, an enterprise might want employee records in its Oracle Human Resources database to be synchronized with Oracle Internet Directory. In addition, the enterprise may deploy certain LDAP-enabled applications (such as Oracle9iAS Portal) that need to be notified whenever changes are applied to Oracle Internet Directory. This service is called provisioning, and the Oracle Directory Integration platform provides such applications with the necessary notifications.

Based on the nature of integration, the Oracle Directory Integration platform provides two distinct services:

The synchronization integration service, which keeps connected directories consistent with the central Oracle Internet Directory
The provisioning integration service, which sends notifications to target applications periodically to reflect changes made to a user's status or information

These services are described and illustrated in later sections.

Why is the Oracle Directory Integration Platform Needed?

Using Oracle Internet Directory as the central repository for diverse LDAP-enabled applications and connected directories can greatly reduce your time and resource costs for administration. To realize these benefits, however, requires the services described above, which ensure that these connected entities reliably receive (and provide) the necessary information. The following scenarios, two for synchronization and two for provisioning, illustrate how these needs may arise and be met:

Synchronization: An enterprise may wish to deploy LDAP-enabled applications from Oracle in the presence of a third-party LDAP directory. But Oracle applications are only certified to run against Oracle Internet Directory. The deployment will thus need to synchronize data between Oracle Internet Directory and the third-party directory.
Synchronization: An enterprise may wish to deploy a metadirectory solution that integrates several repositories in the enterprise with Oracle Internet Directory, thus requiring synchronization.
Provisioning: An enterprise may wish to deploy certain LDAP-enabled Oracle components such as Oracle9iAS Portal, Oracle Internet File System, and Oracle9iAS Wireless. The user/group provisioning for these components is integrated with Oracle Internet Directory, requiring they be notified of user or group changes in that repository.
Provisioning: An enterprise may be developing and deploying custom relational applications that need to be notified of changes to user/group entries in the central Oracle Internet Directory. This need is met by the provisioning integration service of the Oracle Directory Integration platform.

Structure of the Oracle Directory Integration Platform

Figure 28-1 shows the structure of the Oracle Directory Integration platform:

Figure 28-1 Oracle Directory Integration Platform Structure

Text description of 271simpler.gif follows

Text description of the illustration 271simpler.gif

The sections that follow describe each component and its relation to the rest of the Oracle Directory Integration platform.

Provisioning versus Synchronization

Provisioning notifies applications of changes to user or group entries or attributes that the application needs to track. Synchronization deals with directories rather than applications, ensuring the consistency of entries and attributes that reside in both Oracle Internet Directory and other connected directories.

This section contains these topics:

Provisioning

Provisioning is the service you need when you are designing or installing an application that

Does not maintain a directory
Is LDAP-enabled
Can and should allow only authorized users to access its resources

The goal of provisioning is to ensure that the application is notified of changes to user or group information. Such changes can affect whether the application allows a user access to its processes and which resources can be used.

A provisioning integration profile must be created during the application's installation. The Provisioning Subscription tool enables you to specify the necessary information and then creates that profile.

Synchronization

You choose synchronization to coordinate changes among Oracle Internet Directory and connected directories. The goal of synchronization is to share and make consistent any change to directory information, including data elements other than a user's name, group memberships, or privileges. For all directories to both use and provide only the latest data, every directory must be informed of each such change made in any connected directory.

Whenever you decide to connect a directory to Oracle Internet Directory, a synchronization profile must then be created for that specific directory. It specifies the format and content of the notifications exchanged between Oracle Internet Directory and the directory to be connected.

How Provisioning and Synchronization Differ

Provisioning and synchronization have important operational differences. Critical actions must be taken at different times. Different maintenance effort levels are required. Communication differs in being one-way or two-way, and the types of data to be handled are different. Table 28-1 provides a brief tabular format for these primary distinctions.

Table 28-1 Provisioning Integration and Directory Synchronization Distinctions

Service	Provisioning Integration	Directory Synchronization
The time for action	Application design time. Provisioning Integration is targeted towards application designers who are developing LDAP-enabled applications.	Application deployment time. Directory synchronization is targeted towards connected directories that need to be synchronized with Oracle Internet Directory.
Maintenance effort	Minimal: need only register the application end-point during install	High: need to set up the mapping rules and the agents
Communication direction	One way, from Oracle Internet Directory to provisioned applications	Two-way: from Oracle Internet Directory to connected directories and/or vice versa
Type of data	Restricted to provisioned Users and Groups	Any data in a directory
Example	Oracle9iAS Portal	Oracle Human Resources

Directory Synchronization Service

In the Oracle Directory Integration platform environment, connected directories are those whose contents are synchronized with Oracle Internet Directory through the Oracle Directory Synchronization Service.

Oracle Internet Directory is the central directory for all information, with which all other directories are synchronized. This synchronization can be bidirectional: changes in Oracle Internet Directory can be exported to connected directories, and changes in connected directories can be imported into Oracle Internet Directory. However, some connected directories (such as Oracle Human Resources) do not receive changes from Oracle Internet Directory, though they supply changes to Oracle Internet Directory. Selective attributes can be targeted (or ignored) by the synchronization service. For example, employee badge numbers appear in Oracle Human Resources but have no relevance to Oracle Internet Directory or its connected directories or client applications. On the other hand, employee id number does have relevance or utility, and does get synchronized by the service.

Figure 28-2 Interactions of the Directory Synchronization Service

Text description of 272syncb.gif follows

Text description of the illustration 272syncb.gif

The central mechanism triggering all such synchronization activities is the Change Log. Every change to any connected directory, including Oracle Internet Directory, is reflected by one or more entries in the Change Log. The Directory Synchronization Service checks the Change Log periodically, taking action whenever a change corresponds to one or more Synchronization Profiles. The service then supplies the appropriate change to all other connected directories whose individual Profiles correspond to the logged change.

Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Exchange, or Lotus Notes. Synchronization through Oracle Directory Integration connectors ensures that Oracle Internet Directory remains up-to-date with all information that Oracle Internet Directory clients need it to have.

Provisioning Integration Service

The provisioning integration service requires a Provisioning Profile for each application that is to be notified of changes in user or group information. Each Provisioning Profile uniquely identifies the application and organization to which it applies, and specifies the users, groups, and operations requiring the application to be notified. The Profile must be created when the application is installed, using the Subscription Tool described in Chapter A, "Syntax for LDIF and Command-Line Tools".

When changes are made in Oracle Internet Directory that match an application's Provisioning Profile, the Provisioning Integration Service sends the relevant data to that application, such as Oracle9iAS Portal.

The term "legacy application" means one already operational before this Service was installed, and therefore one that has not subscribed in the usual way, during installation. To enable such an application to receive provisioning information by means of the provisioning integration service, a Provisioning Agent must be developed in addition to the Provisioning Profile. The agent must be specifically designed and built to translate the relevant data taken from Oracle Internet Directory into the exact format required by the legacy application.

Figure 28-3 illustrates these interactions, including the special case of a provisioning agent used for a legacy application.

Figure 28-3 Interactions of the Provisioning Integration Service

Text description of 273provg.gif follows

Text description of the illustration 273provg.gif

See Also:

Chapter 36, "The Oracle Directory Provisioning Integration Service" for more details about the Oracle Provisioning Integration Service

Oracle Directory Integration Server

The Oracle Directory Integration Server is the multithreaded server process consisting of the two services described above: the Oracle Directory Synchronization Service and the Oracle Provisioning Integration Service.

The Oracle Directory Integration Server performs the following functions for the Oracle Directory Synchronization Service:

Scheduling--Processing a Synchronization Profile based on a predefined schedule
Mapping--Executing rules for converting data between connected directories and Oracle Internet Directory
Data propagation--Sending data to connected directories using a connector
Error handling

For the provisioning integration service, the Oracle Directory Integration Server performs the following functions:

Scheduling--Processing a Provisioning Profile based on a predefined schedule
Event Notification--Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory
Error handling

See Also:
Chapter 30, "Oracle Directory Integration Server Administration"

Directory Integration Toolkit

The directory integration toolkit allows third party vendors and developers to integrate their solutions with the Oracle Directory Integration platform environment. Such vendors can include providers of metadirectories and provisioning solutions. The toolkit also allows application vendors whose products are based on or use the Oracle technology to integrate provisioning of their users and groups with Oracle Internet Directory.

The toolkit describes the following interfaces, tools, and procedures:

Interfaces for accessing changes in Oracle Internet Directory by clients:
- IETF standard change log interface
- Oracle proprietary change log interface
Interfaces to register or modify directory integration connectors in Oracle Internet Directory, for scheduling or data mapping, using either:
- Oracle Directory Manager, or
- Command-line tools to add and modify data by using an LDIF file configuration
Tools and procedures for bootstrapping connected directories into the Oracle Directory Integration platform environment. These enable you to:
- Bulk import data from LDIF files
- Bulk export Oracle Internet Directory data into LDIF files
Interfaces to subscribe to user/group Provisioning Events (changes) in Oracle Internet Directory
Interfaces to consume events being sent by the provisioning integration service

Administration and Monitoring Tools

This section contains these topics:

Oracle Directory Manager

Oracle Directory Manager, a Java-based graphical user interface tool, enables you to administer the Oracle Directory Integration platform. Specifically, it enables you to:

Create, modify, and delete directory integration profiles
Check the status of directory integration profiles
Check the status of all the Oracle directory integration server instances

See Also:
Chapter 4, "Directory Administration Tools"

OID Control and OID Monitor

OID Control and OID Monitor enable you to start, stop, and monitor the Oracle directory integration server.

In Oracle Internet Directory, you can use OID Control and OID Monitor to control the directory integration server in the ORACLE_HOME where either the Oracle directory server or the Oracle directory integration server are installed. If Oracle Internet Directory installation is client-only, then the OID Control utility and OID Monitor are not installed. In this case, start the Oracle directory integration server manually. In this configuration you can still use Oracle Directory Manager to learn the status of the Oracle directory integration server.

See Also:

Oracle Enterprise Manager

Oracle Enterprise Manager can be used to monitor the status of various integration profiles. This integrated, comprehensive systems management platform combines a graphical console, agents, common services, and tools to aid you in scheduling, monitoring, and administering your heterogeneous environment.

For more details, please refer to the Oracle Enterprise Manager Concepts Guide, the Oracle Enterprise Manager Administrator's Guide, or the Oracle Enterprise Manager online help.

Sample Deployment of the Directory Integration Platform

This section describes a deployment in which the Oracle Directory Integration platform is used for integrating various applications in the enterprise. This enterprise has the following components:

Oracle Human Resources system, in which all employees and contractors are managed.
An existing iPlanet Directory Server, which is being used by certain applications.
An installation of Oracle9iAS Portal, which is used as the intranet portal for all employees.
An installation of Oracle Internet File System Release 9.0.2, which is used as a document repository for all corporate documents.

The enterprise has the following functional requirements:

A single source of truth for all employee records. The deployment would like all employees and contractors to be created in Oracle Human Resources. Once created, the deployment would like all applications in the enterprise to share this information through Oracle Internet Directory.
When a user gets created in Oracle Human Resources, all applications in the enterprise including single sign-on services should be able to honor the employee.
When changes to user properties are made, all applications that are interested in such changes should be notified.
When a user gets terminated in Oracle Human Resources, the deployment would like all access rights of the user to be revoked.

Overall Deployment

Figure 28-4 illustrates the various components and their relationships to each other:

Figure 28-4 Example of Oracle Directory Integration Platform in Deployment

Text description of dip_example_fig_01.gif follows

Text description of the illustration dip_example_fig_01.gif

Figure 28-4 illustrates the following factors:

Oracle Internet Directory is used as the centralized user repository for all enterprise applications.
Oracle Human Resources is the source of truth for all user related information. It is being synchronized with Oracle Internet Directory using the Directory synchronization service of the Oracle Directory Integration platform.
iPlanet Directory Server, which is already deployed in the enterprise is now being synchronized with Oracle Internet Directory using the directory synchronization service of the Oracle Directory Integration platform.
Oracle9iAS Portal is being notified of changes in Oracle Internet Directory by using the Provisioning Integration Service of the Oracle Directory Integration platform.
Oracle Internet File System is also being notified of changes in Oracle Internet Directory using the Provisioning Integration Service of the Oracle Directory Integration platform.

The sections that follow describe the flow of information during user creation, modification, and deletion, thereby illustrating the various capabilities of the Oracle Directory Integration platform.

User Creation and Provisioning

Based on the requirements specified by the deployment, all users are created in Oracle Human Resources. It is the responsibility of the Oracle Directory Integration platform to propagate new user records to all other repositories in the enterprise. Figure 28-5 illustrates the various interactions that help the Oracle Directory Integration platform complete this task:

Figure 28-5 User Creation and Provisioning

Text description of dip_example_fig_02.gif follows

Text description of the illustration dip_example_fig_02.gif

Figure 28-5 shows the creation of a new user in Oracle Human Resources, which causes an entry for that user to be created in Oracle Internet Directory and the iPlanet directory servers. It also shows the process of provisioning the user to access Oracle9iAS Portal and Oracle Internet File System deployed in the enterprise. User creation and provisioning happen in the following manner:

First the Oracle Human Resources administrator of the company creates the user in the Oracle Human Resources database.
The synchronization integration service of the Oracle Directory Integration platform detects the new user creation.
The synchronization integration service then creates the entry for the user in Oracle Internet Directory.
The synchronization integration service also creates an entry in the iPlanet directory.
Since the user entry is available in Oracle Internet Directory, the Oracle9iAS Portal administrator can now provision the user to use the services of Oracle9iAS Portal. During this task, the Oracle9iAS Portal software automatically fetches the user details from Oracle Internet Directory.
The Oracle Internet File System administrator also provisions the user to use Oracle Internet File System services by using a similar process.

Note that the Oracle Directory Integration platform does not directly notify Oracle9iAS Portal or Oracle Internet File System about new users. This is because not all users created in Oracle Human Resources need access to all services. In this case, the deployment must explicitly provision the users to use these services, as in steps 5 & 6.

Modification of User Properties

Based on the requirements of the deployment, any modification to user properties must be communicated to all components interested in such changes. Figure 28-6 illustrates the actions the Oracle Directory Integration platform takes to meet this requirement.

Figure 28-6 Modification of User Properties

Text description of dip_example_fig_03.gif follows

Text description of the illustration dip_example_fig_03.gif

Figure 28-6 shows the process by which Oracle Directory Integration platform communicates the modification of user properties to all systems in the enterprise. The process contains the following sequence of events:

The user is first modified in the Oracle Human Resources.
The Oracle Directory Integration platform gets these changes through the synchronization integration service.
The Oracle Directory Integration platform then makes the corresponding user modification in Oracle Internet Directory.
The synchronization integration service of the Oracle Directory Integration platform also modifies the user in the iPlanet Directory Server.
The provisioning integration service of the Oracle Directory Integration platform notifies Oracle9iAS Portal about the change in user properties.
The provisioning integration service of the Oracle Directory Integration platform also notifies Oracle Internet File System about the same change in user properties.

Deletion of Users

In this example, the enterprise requires that a user being deleted or terminated in Oracle Human Resources should be automatically be denied access to all enterprise resources that are based on the directory service. The following figure shows the flow of events during the deletion of users:

Figure 28-7 Deletion of Users from the Corporate Human Resources

Text description of dip_example_fig_04.gif follows

Text description of the illustration dip_example_fig_04.gif

As Figure 28-7 shows, the process by which Oracle Directory Integration platform communicates the deletion of users to all systems in the enterprise contains the following sequence of events:

The user is first deleted in the Oracle Human Resources.
The Oracle Directory Integration platform gets these changes through the synchronization integration service.
The Oracle Directory Integration platform then makes the corresponding user deletion in Oracle Internet Directory.
The synchronization integration service of the Oracle Directory Integration platform also deletes the users in the iPlanet Directory Server.
The provisioning integration service of the Oracle Directory Integration platform notifies Oracle9iAS Portal about the deletion of the user.
The provisioning integration service of the Oracle Directory Integration platform also notifies Oracle Internet File System about the deletion of the user.

Once all of the steps indicated above are completed, a deleted user in Oracle Human Resources can no longer access any corporate services like Oracle9iAS Portal or Oracle Internet File System.

28Oracle Directory Integration Platform Concepts and Components