34
Synchronization with iPlanet Directory Server

This chapter explains how to synchronize between Oracle Internet Directory and an iPlanet Directory Server by using the iPlanet Connector in the Oracle Directory Integration Platform.

This chapter contains these topics:

• About the iPlanet Connector
• Configuring the iPlanet Connector
• Synchronizing Between Oracle Internet Directory and iPlanet Directory Server
• Troubleshooting
• Limitations in This Release

About the iPlanet Connector

The iPlanet Connector enables you to:

• Import data into Oracle Internet Directory from an iPlanet Directory Server
• Export data from Oracle Internet Directory into an iPlanet Directory Server

You must configure a separate profile for each operation.

Synchronization is supported for iPlanet Directory Server release 4.13 and 5.0.

Configuring the iPlanet Connector

This section explains the tasks to configure the iPlanet Connector. It contains these topics:

• Task 1: Prepare Both Directories for Synchronization
• Task 2: Configure the Integration Profile for the iPlanet Connector
• Task 3: Configure Mapping Rules
• Task 4: Configure Access Control
• Task 5: Configure the Password Protection

Task 1: Prepare Both Directories for Synchronization

1. Before synchronizing the two directories, ensure that the subscribed domains have equivalent user data in both directories. If the data is not equivalent, then migrate the most recent data to the other directory.

   See Also: Appendix E, "Migrating Data from Other Directories" for instructions on migrating data iPlanet Directory Server documentation for instructions on migrating data to iPlanet Directory Server

2. At the end of migration, be sure that the change logging option for the Oracle directory server is set to the default, namely, TRUE. If it is set to FALSE, then shut down the Oracle Internet Directory server and start with the change log enabled by using the OID Control Utility.

   See Also: "Starting and Stopping an Oracle Directory Server Instance" for a description of the OID Control Utility

Similarly, verify that change logging is enabled in iPlanet Directory Server.

• If the change log is already enabled, note down the value of the lastChangeNumber attribute in Oracle Internet Directory and in the iPlanet Directory Server by using the following command for each directory:

  ldapsearch  -D SuperUserDn  -w SuperUserPass -b "" -s base "objectclass=*" 
  lastchangenumber
  
  

  In the next task, you use the value of the lastChangeNumber attribute in both directories to configure the following attributes in the integration profile:

  • orclLastAppliedChangeNumber--to export from Oracle Internet Directory to iPlanet Directory Server
  • orclodipConDirLastAppliedChgNum--to import from iPlanet Directory Server to Oracle Internet Directory

  Task 2: Configure the Integration Profile for the iPlanet Connector

  Integration profile templates for synchronizing with the iPlanet Directory Server are created in the Oracle Internet Directory Server as a part of the installation process. Set deployment-specific parameters in the profile before enabling synchronization. Do this by using Oracle Directory Manager.

  See Also: "Registration of Connectors into Oracle Directory Integration Platform" for the required steps and a general description of each attribute you must set Table 34-1 for a list and descriptions of the attribute information specific to the iPlanet Directory Server integration profile

  Table 34-1  Attributes in the iPlanet Directory Server Integration Profile (Import/Export)

  Attribute	Description
  General Information
  Profile Name (orclodipAgentName)	The default value for the import profile is iPlanetImport. The default value for the export profile is iPlanetExport. This attribute is mandatory.
  Profile Status (orclodipAgentControl)	You must set this value to ENABLE.
  Profile Password (orclodipProfilePassword)	The default value is welcome. Note: For security reasons, change this password.
  Synchronization Mode (orclodipSynchronizationMode)	Direction of synchronization between Oracle Internet Directory and the iPlanet Connector. IMPORT indicates importing changes from iPlanet Directory Server to Oracle Internet Directory. EXPORT indicates exporting changes from Oracle Internet Directory to iPlanet Directory Server. This is already configured in the respective integration profiles.
  Scheduling Interval (orclodipSchedulingInterval)	The default is 600 seconds. You can modify this to a different scheduling interval accordning to your requirement.
  Maximum Number of Retries (orclodipSyncRetryCount)	Maximum number of times Oracle directory integration server tries to run the iPlanet Connector in the event of a failure. The default is 5.
  Execution Information
  Execution Command (orclodipAgentExeCommad)	This field must be empty.
  Connected Directory Account (orclodipConDirAccessAccount)	Valid user account on iPlanet Directory Server that the iPlanet Connector uses to access iPlanet Directory Server. If the changes are to be imported from iPlanet Directory Server to Oracle Internet Directory, then this user account should have read privilege in the iPlanet change log container. If the changes in Oracle Internet Directory are to be exported to iPlanet Directory Server, then the user must have add/modify privileges to the synchronization domain. Note: Create a user account in iPlanet exclusively for the iPlanet connector for synchronizing.
  Connected Directory Account Password (orclodipConDirAccessPassword)	Password for the user account specified earlier for accessing iPlanet Directory Server.
  Additional Config Info (orclodipAgentConfigInfo)	For the iPlanet Connector, this attribute stores the iPlanet connector details to use its LDAP interface to synchronize with the iPlanet Directory Server. This information is already loaded in the integration profiles. Upload the file by using the ldapuploadagentfile.sh tool. Do this for both import and export agents.
  Interface Type (orclodipInterfaceType)	This attribute is set to LDAP.
  Mapping Information
  Attribute Mapping Rules (orclodipAttributeMappingRules)	Store the mapping rules in a file by using the ldapuploadagentfile.sh tool. See Also: "Task 3: Configure Mapping Rules" for a detailed description of the entries in the mapping file
  Connected Directory Matching Filter (orclodipConDirMatchingFilter)	This attribute specifies the filter to apply to the iPlanet Directory Changelog. It is used in the import profile. The filter must be set in the import profile when both the import (iPlanetImport) and export (iPlanetExport) integration profiles are enabled, as follows: Modifiersname != <connected directory account> This prevents the same change from being exchanged between the two directories indefinitely.
  OID Matching Filter	This attribute specifies the filter to apply to the Oracle Internet Directory Changelog container. It is used in the export profile. It must be set in the export profile when both the import (iPlanetImport) and export (iPlanetExport) integration profiles are enabled, as follows: Modifiersname != orclodipagentname=iPlanetImport, cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory This prevents the same change from being exchanged between the two directories indefinitely.
  Status Information
  Synchronization Status (orclodipSynchronizationStatus)	Initially, this attribute has the value Yet to be executed. It is a read-only attribute.
  Synchronization Errors (orclodipSynchronizationErrors)	Error messages, shown if the previous execution of the synchronization failed. This parameter is updated by Oracle directory integration server. It is a read-only attribute.
  Connected Directory Last Applied Change Number (orclodipConDirLastAppliedChgNum)	The default value is 0. Set this to the lastchangenumber value described in "Task 1: Prepare Both Directories for Synchronization".
  OID Last Applied Change Number (orclLastAppliedChangeNumber)	The default value is 0. Set this to the lastchangenumber value described in "Task 1: Prepare Both Directories for Synchronization".
  Last Execution Time (orclodipLastExecutionTime)	This attribute must be set to the next execution time - the scheduling interval
  Last Successful Execution Time (orclodipLastSuccessfulExecution Time)	This attribute is a status attribute set to the last time the integration profile was executed successfully by the Directory Integration Server.

  Task 3: Configure Mapping Rules

  You can customize the attributes of the entries to be synchronized between iPlanet Directory Server and Oracle Internet Directory. You can also determine how to store the attribute values in the directories by using mapping rules.

  A sample mapping file, which you can customize to meet your requirements, is provided in $ORACLE_HOME/ldap/odi/conf/iPlanet.map.master

  This file must be loaded with the ldapuploadagentfile.sh tool.

  Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities: Cygwin 1.0. Visit: http://sources.redhat.com/cygwin/ MKS Toolkit 5.1 or 6.0. Visit: http://www.datafocus.com/products/

  See Also: "Mapping Rules and Formats" for more details "The oidmuplf.sh Tool" for instructions on how to use the ldapuploadagentfile.sh tool

  Task 4: Configure Access Control

  Set up appropriate ACLs allowing read, add, or modify access rights on the subscribed domains.

  During import operations:

  1. You would privilege the user orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory in Oracle Internet Directory to update the subscribed domain in Oracle Internet Directory.
  2. The user specified by the Connected Directory Account attribute in the integration profile must have read access to the changelog container in the iPlanet Directory Server.

     For example, assuming that no ACLs are applied to the domain of interest, that is, the Synchronization domain in OID, the following LDIF sample can be used.

     ACL in OID:
     

     dn: <Synchronization domain in OID>
     changetype: modify
     replace: orclaci
     orclaci: access to entry by 
     "orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog 
     subscriber,cn=oracle internet directory" (browse,add,delete)
     orclaci: access to attr=(*) by 
     "orclodipagentname=iPlanetImport,cn=subscriber profile,cn=changelog 
     subscriber,cn=oracle internet directory" (read,search,write,compare)"
     
     

  During export operations, the user specified by the Connected Directory Account attribute in the integration profile must have read access to the changelog contained in the iPlanet Directory Server.

  See Also: iPlanet Server documentation to apply ACLs on the iPlanet changelog container and the iPlanet subscribed domain

  
  
  

  Task 5: Configure the Password Protection

  To enable synchronization of any protected password attributes--for example, userPassword--configure the password hashing algorithm to be the same on both directories.

  To set the hashing algorithm for the password in Oracle Internet Directory, use this command:

  ldapmodify  -D SuperUserDn  -w SuperUserPass  << EOF
  dn:
  changetype: modify
  replace: orclcryptoscheme
  orclcryptoscheme: your_hashing_algorithm
  
  

  See Also: "Protection of User Passwords for Directory Authentication" for a list of the hashing algorithms that Oracle Internet Directory supports for password protection iPlanet Directory Server documentation for instructions on how to set the appropriate hashing algorithm for passwords in iPlanet Directory Server

  Synchronizing Between Oracle Internet Directory and iPlanet Directory Server

  This section contains these topics:

  • Preparing for Synchronization
  • The Synchronization Process

  Preparing for Synchronization

  To prepare for successful synchronization between Oracle Internet Directory and iPlanet Directory Server, verify the following:

  • The Oracle directory integration server and iPlanet Directory Server are installed and running
  • The configuration details are correct, as described in "Configuring the iPlanet Connector"
  • The Oracle directory integration server on this host is registered to Oracle Internet Directory and running

  The Synchronization Process

  The synchronization process performs the following:

  1. In an import operation, the iPlanet Connector extracts all the changes from the source directory, namely, iPlanet Directory Server, based on the value specified in the orclodipConDirLastAppliedChgNum attribute, and applies them to Oracle Internet Directory. Similarly, in an export operation, the iPlanet Connector extracts all the changes from Oracle Internet Directory, based on the orclodipLastChangeNumber, and applies it to iPlanet Directory Server.
  2. Once all the changes are read and applied, the appropriate attribute--either orclodipConDirLastAppliedChgNum or orclodipLastAppliedChangeNumber--is updated.
  3. After the execution completion, Oracle directory integration server updates the execution status attributes.

  Troubleshooting

  The Oracle directory integration server stores error messages in the appropriate file, as described in Table 30-5.

  Limitations in This Release

  Oracle Internet Directory Release 9.2 does not support the synchronization of the schema and ACLs. If you are changing ACLs or the schema, then you must apply the changes manually.

  A tool for schema synchronization, namely, SchemaSync, is available in Oracle Internet Directory Release 9.2.

  See Also: "The schemasync Tool" for information about the SchemaSync tool

  Oracle Internet Directory Release 9.2 supports SSl authentication between the Oracle directory integration server and Oracle Internet Directory, but not between Oracle Internet Directory and iPlanet Directory Server

  See Also: Chapter 30, "Oracle Directory Integration Server Administration" for instructions about setting SSL parameters for secure communication between Oracle directory integration server and Oracle Internet Directory