34
Synchronization with iPlanet Directory Server

This chapter explains how you can synchronize between Oracle Internet Directory and an iPlanet Directory Server by using the iPlanet Connector in the Directory Integration Platform.

This chapter contains these topics:

• About the iPlanet Connector for Synchronizing between the Oracle Internet Directory Server and iPlanet Directory Server

• Configuring the Oracle Internet Directory Integration Solution for the iPlanet Directory Server

• Synchronizing Between Oracle Internet Directory and iPlanet Directory Server

• Troubleshooting

• Limitations in This Release

About the iPlanet Connector for Synchronizing between the Oracle Internet Directory Server and iPlanet Directory Server

The iPlanet Connector in the Directory Integration Platform enables you to:

• Import data into Oracle Internet Directory from an iPlanet Directory Server

• Export data from Oracle Internet Directory into an iPlanet Directory Server

You must configure a separate profile for each operation.

Synchronization is supported for iPlanet Directory Server release 4.13 and 5.0.

Configuring the Oracle Internet Directory Integration Solution for the iPlanet Directory Server

This section explains the tasks to configure the iPlanet Connector in the Directory Integration Platform. It contains these topics:

• Task 1: Prepare Both Directories for Synchronization

• Task 2: Configure the Integration Profile for the Oracle Internet Directory Integration Solution for the iPlanet Directory Server

• Task 3: Configure Mapping Rules

• Task 4: Configure Access Control

• Task 5: Configure the Password Protection

Task 1: Prepare Both Directories for Synchronization

1. Before synchronizing the two directories, ensure that the subscribed domains have equivalent user data in both directories. If the data is not equivalent, then migrate the most recent data to the other directory.

   See Also: Appendix F, "Migrating Data from Other LDAP-Compliant Directories" for instructions on migrating data iPlanet Directory Server documentation for instructions on migrating data to iPlanet Directory Server

2. At the end of migration, be sure that the change logging option for the Oracle directory server is set to the default, namely, TRUE. If it is set to FALSE, then shut down the Oracle Internet Directory server and start with the changelog-enabled by using the OID Control Utility.

   See Also: a"Starting and Stopping an Oracle Directory Server Instance" for a description of the OID Control Utility

   Similarly, verify that change logging is enabled in iPlanet Directory Server.

3. If the changelog is already enabled, note down the value of the lastChangeNumber attribute in Oracle Internet Directory and in the iPlanet Directory Server by using the following command for each directory:

   ldapsearch  -D SuperUserDn  -w SuperUserPass -b "" -s base "objectclass=*" 
   lastchangenumber
   
   

   In the next task, you use the value of the lastChangeNumber attribute in both directories to configure the following attributes in the integration profile:

   • orclLastAppliedChangeNumber--to export from Oracle Internet Directory to iPlanet Directory Server

   • orclodipConDirLastAppliedChgNum--to import from iPlanet Directory Server to Oracle Internet Directory

Task 2: Configure the Integration Profile for the Oracle Internet Directory Integration Solution for the iPlanet Directory Server

Integration profile templates for synchronizing with the iPlanet Directory Server are created in the Oracle Internet Directory Server as a part of the installation process. Deployment-specific parameters in the profile must be set before enabling synchronization.

Do this by using Oracle Directory Manager.

See Also: "Registration of Connectors into Oracle Directory Integration Platform" for the required steps and a general description of each attribute you must set Table 34-1 for a list and descriptions of the attribute information specific to the iPlanet Directory Server integration profile

Table 34-1 Attributes in the iPlanet Directory Server Integration Profile (Import/Export)

Attribute	Description
General Information
Profile Name (orclodipAgentName)	The default value for the import profile is iPlanetImport. The default value for the export profile is iPlanetExport. This attribute is mandatory.
Profile Status (orclodipAgentControl)	You must set this value to ENABLE.
Profile Password (orclodipProfilePassword)	The default value is welcome. Note: For security reasons, change this password.
Synchronization Mode (orclodipSynchronizationMode)	Direction of synchronization between Oracle Internet Directory and the iPlanet Connector in the Directory Integration Platform. IMPORT indicates importing changes from iPlanet Directory Server to Oracle Internet Directory. EXPORT indicates exporting changes from Oracle Internet Directory to iPlanet Directory Server. This is already configured in the respective integration profiles.
Scheduling Interval (orclodipSchedulingInterval)	The default is 600 seconds. You can modify this to a different scheduling interval as per your requirement.
Maximum Number of Retries (orclodipSyncRetryCount)	Maximum number of times the Oracle directory integration server tries to run the iPlanet Connector in the Directory Integration Platform in the event of a failure. The default is 5.
Execution Information
Execution Command (orclodipAgentExeCommad)	This field must be empty.
Connected Directory Account (orclodipConDirAccessAccount)	Valid user account on iPlanet Directory Server that the iPlanet Connector in the Directory Integration Platform uses to access iPlanet Directory Server. If the changes are to be imported from iPlanet Directory Server to Oracle Internet Directory, then this user account should have read privilege in the iPlanet change log container. If the changes in Oracle Internet Directory are to be exported to iPlanet Directory Server, then the user must have add/modify privileges to the synchronization domain. Note: Create a user account in iPlanet exclusively for the iPlanet connector for synchronizing.
Connected Directory Account Password (orclodipConDirAccessPassword)	Password for the user account specified earlier for accessing iPlanet Directory Server.
Additional Config Info (orclodipAgentConfigInfo)	For the iPlanet Connector in the Directory Integration Platform, this attribute stores the iPlanet connector details to use its LDAP interface to synchronize with the iPlanet Directory Server. This information is already loaded in the integration profiles. Upload the file by using the ldapUploadAgentFile.sh tool. Do this for both import and export agents.
Interface Type (orclodipInterfaceType)	This attribute is set to LDAP.
Mapping Information
Attribute Mapping Rules (orclodipAttributeMappingRules)	Store the mapping rules in a file by using the ldapUpLoadAgentFile.sh tool. See Also: "Task 3: Configure Mapping Rules" for a detailed description of the entries in the mapping file
Connected Directory Matching Filter (orclodipConDirMatchingFilter)	This attribute specifies the filter to apply to the iPlanet Directory Changelog. It is used in the import profile. The filter must be set in the import profile when both the import (iPlanetImport) and export (iPlanetExport) integration profiles are enabled, as follows: Modifiersname != <connected directory account> This prevents the same change from being exchanged between the two directories indefinitely.
OID Matching Filter	This attribute specifies the filter to apply to the Oracle Internet Directory Changelog container. It is used in the export profile. It must be set in the export profile when both the import (iPlanetImport) and export (iPlanetExport) integration profiles are enabled, as follows: Modifiersname != orclodipagentname=iPlanetImport, cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory This prevents the same change from being exchanged between the two directories indefinitely.
Status Information
Synchronization Status (orclodipSynchronizationStatus)	Initially, this attribute has the value Yet to be executed. It is a read-only attribute.
Synchronization Errors (orclodipSynchronizationErrors)	Error messages, shown if the previous execution of the synchronization failed. This parameter is updated by the Oracle directory integration server. It is a read-only attribute.
Connected Directory Last Applied Change Number (orclodipConDirLastAppliedChgNum)	The default value is 0. Set this to the lastchangenumber value described in "Task 1: Prepare Both Directories for Synchronization".
OID Last Applied Change Number (orclLastAppliedChangeNumber)	The default value is 0. Set this to the lastchangenumber value described in "Task 1: Prepare Both Directories for Synchronization".
Last Execution Time (orclodipLastExecutionTime)	This attribute must be set to the next execution time - the scheduling interval
Last Successful Execution Time (orclodipLastSuccessfulExecution Time)	This attribute is a status attribute set to the last time the integration profile was executed successfully by the Directory Integration Server.

Task 3: Configure Mapping Rules

You can customize the attributes of the entries to be synchronized between iPlanet Directory Server and Oracle Internet Directory. You can also determine how to store the attribute values in the directories by using mapping rules.

A sample mapping file is provided in $ORACLE_HOME/ldap/odi/conf/iPlanet.map.master

This file must be loaded with the ldapUploadAgentFile.sh tool.

Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities: Cygwin 1.0. Visit: http://sources.redhat.com/cygwin/ MKS Toolkit 5.1 or 6.0. Visit: http://www.datafocus.com/products/

See Also: "Mapping Rules and Formats" for more details

Task 4: Configure Access Control

Set up appropriate ACLs allowing read, add, or modify access rights on the subscribed domains.

During import operations:

1. You would privilege the user orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory in Oracle Internet Directory to update the subscribed domain in Oracle Internet Directory.

2. The user specified by the Connected Directory Account attribute in the integration profile must have read access to the changelog container in the iPlanet Directory Server.

   For example, assuming that no ACLs are applied to the domain of interest, that is, the Synchronization domain in OID, the following LDIF sample can be used.

   ACL in OID:
   

   dn: <Synchronization domain in OID>
   changetype: modify
   replace: orclaci
   orclaci: access to entry by 
   "orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog 
   subscriber,cn=oracle internet directory" (browse,add,delete)
   orclaci: access to attr=(*) by 
   "orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog 
   subscriber,cn=oracle internet directory" (read,search,write,compare)"
   
   

During export operations, the user specified by the Connected Directory Account attribute in the integration profile must have read access to the changelog contained in the iPlanet Directory Server.

Task 5: Configure the Password Protection

To enable synchronization of any protected password attributes--for example, userPassword--configure the password hashing algorithm to be the same on both directories.

To set the hashing algorithm for the password in Oracle Internet Directory, use this command:

ldapmodify  -D SuperUserDn  -w SuperUserPass  << EOF
dn:
changetype: modify
replace: orclcryptoscheme
orclcryptoscheme: your_hashing_algorithm

See Also: "Protection of User Passwords for Directory Authentication" for a list of the hashing algorithms that Oracle Internet Directory supports for password protection iPlanet Directory Server documentation for instructions on how to set the appropriate hashing algorithm for passwords in iPlanet Directory Server

Synchronizing Between Oracle Internet Directory and iPlanet Directory Server

This section contains these topics:

• Preparing for Synchronization

• The Synchronization Process

Preparing for Synchronization

To prepare for successful synchronization between Oracle Internet Directory and iPlanet Directory Server, verify the following:

• The Oracle directory integration server and iPlanet Directory Server are installed and running

• The configuration details are correct, as described in "Configuring the Oracle Internet Directory Integration Solution for the iPlanet Directory Server"

• The Oracle directory integration server on this host is registered to Oracle Internet Directory and running

The Synchronization Process

The synchronization process performs the following:

1. In an import operation, the iPlanet Connector in the Directory Integration Platform extracts all the changes from the source directory, namely, iPlanet Directory Server, based on the value specified in the orclodipConDirLastAppliedChgNum attribute, and applies them to Oracle Internet Directory. Similarly, in an export operation, the iPlanet Connector in the Directory Integration Platform extracts all the changes from Oracle Internet Directory, based on the orclodipLastChangeNumber, and applies it to iPlanet Directory Server.

2. Once all the changes are read and applied, the appropriate attribute--either orclodipConDirLastAppliedChgNum or orclodipLastAppliedChangeNumber--is updated.

3. After the execution completion, the Oracle directory integration server updates the execution status attributes.

Troubleshooting

The Oracle directory integration server stores error messages in the appropriate file, as described in Table 30-5.

Limitations in This Release

Oracle Internet Directory Release 9.0.2 does not support the synchronization of the schema and ACLs. If you are changing ACLs or the schema, then you must apply the changes manually.

A tool for schema synchronization, namely, SchemaSync, is available in Oracle Internet Directory Release 9.0.2.

See Also: "SchemaSync Syntax" for information about the SchemaSync tool