Wednesday, September 9, 2015

AD to OID Synchronization of Users

In this post,we shall see synchronization of users from Active Directory(AD) to Oracle Internet Directory(OID)

1. Pre-Procedure Info:

1.1 ) OID 11g and Microsoft Active Directory servers, both must be installed and already running.

1.2)  Export below env variable as per your environment

export ORACLE_INSTANCE=/u02/app/middlewareidm/asinst_1
export WLS_HOME=/u02/app/middlewareidm/user_projects/domains/base_domain
export ORACLE_HOME=/u02/app/middlewareidm/Oracle_IDM3
export ORACLE_SID=DBName

2. Verification Process:

Go to $ORACLE_HOME/bin and execute below command to test whether OID is able to communicate with AD server
2.1) Verify that your OID server will let you communicate with the Active Directory Server.

$ldapbind -h <AdHostname> -p <AdPort> -D    "cn=administrator,cn=users,dc=support,dc=local" -w "manager1"
bind successful

2.2) Run the ldapsearch to obtain the last change number on Active Directory.

$ ldapsearch -h <AdHostname> -p <AdPort> -D -w "password" -b "" -s base "objectclass=*" highestCommittedUSN

2.3) Verify that you can read the 'container' of directory entries that you wish to synchronize from AD.

$ ldapsearch -h <AdHostname> -p <AdPort>-D "CN=Administrator,CN=Users,DC=Support,DC=local" -w "password" -b "CN=Users,DC=Support,DC=local" -s base "objectclass=*" 

2.4) Verify that you can read an entry within the 'container' of directory entries that  you wish to synchronize from AD:

 $ldapsearch -h <AdHostname> -p <AdPort> -D "CN=Administrator,CN=Users,DC=Support,DC=local" -w "password" -b "CN=test1,CN=Users,DC=Support,DC=local" -s base "objectclass=*"

3. Steps to synchronize users from AD->OID

To manually create the AD OID integration profile and setup the synchronization perform the below steps.

3.1) Login to FMW Enterprise Manager console with weblogic user. 

3.2) Expand "Domain_Name" ->" Identity and Access "-> "DIP("

3.3) From the DIP Server drop down list select Administration , then Synchronization Profiles

3.4) Using the navigation path, create a new DIP Sync profile and add below details:

Profile name : ADTOOID
Use DIP-OID :  Destination

Note : You need to select the option Destination if you are using import (AD to OID) sync or select Source option if you are using Export (OID to AD) sync.
Source Details :Active Directory (MS)
Host: AD Hostname (Server where AD is installed)
Port : Ad Port Number
SSL Setting : As per business requirements
Username:AD username
Password: *******

3.5) After Providing the above mentioned details in the general tab click on Test Connection Tab, If the provided values are correct you'll see the message saying that "Test Passed.Connection Successful" If the values provided for AD are wrong in the General tab , when you click on the Test Connection, you will get an Error dialogue saying Authentication Failure ,Make sure that you provide the correct values and get connection Successful to move Further

3.6) Click on OK to Save the profile.

Note: Do not enable the profile at this stage.

3.7) Now select the ADTOOID profile and click on Edit.

3.8) Now select the Mapping tab and configure mapping like below Configure Domain Rules Click on Create option, You'll get a Add Mapping Rule Window , in that Select the Source Container DN and OID container DN from the lookup windows provided and click on OK.

Source Container DN is at AD - From where users have to be migrated.(cn=users,dc=testing,dc=oracle,dc=com)
DIP-OID container DN is at OID - Location where user needs to be moved from AD

3.9) Validate / re-Validate mapping until you have no errors, warnings are OK.
Hint: Use command line to validate mapping rules as it may show the problem mappings in more detail.
manageSyncProfiles validateProfile -h <OIDHostName> -p <OIDPort> -D weblogic -pf ADTOOID

3.10) Skip Exclusion Rules and click OK.

3.11) Bootstrap the users using the command line tool.(command used to migrate users)
$ cd /u02/app/middlewareidm/wlserver_10.3/server/bin/
$ . ./
$ cd  /u02/app/middlewareidm/Oracle_IDM3/bin
$ ./syncProfileBootstrap -h <OIDHostname> -port <OIDPort> -D weblogic -profile ADTOOID -lp 5
Your environment has been set.
[Weblogic user password]
Connection parameters initialized.
Connecting at 172.XX.X.X:YYYY, with userid "weblogic"..
Connected successfully.

The bootstrap operation completed, the operation results are:
entries read in bootstrap operation: 1007
entries filtered in bootstrap operation: 0
entries ignored in bootstrap operation: 0
entries processed in bootstrap operation: 1006
entries failed in bootstrap operaton: 1

3.12) Verify that all the AD users were pulled into OID according to mapping rules set in step 3.8

3.13) Enable the profile using either FMW EM Console or via the command line tool.
Expand "Domain_Name" ->" Identity and Access "-> "DIP("->Administration->Synchronization profiles->ADTOOID->Click Edit


3.14) Now verify the synchronization by either creating or modifying an entry (user ) in the AD container specified in the domain rules of the mapping file.

3.15) Launch ODSM console and check the entry in OID is reflected or not (Check Modified On filed)

3.16) From the DIP Server drop down list select Logs -> Logs Configuration and set to highest level of debug..e.g., 32 trace.

3.17) From the DIP Server drop down list select Logs -> View logs Messages

3.18) Examine the logs and find if the changes at AD are synchronized to  OID properly.

4. Known Issue/Bug

Boot Strap Process for OID / 2008 AD Sync is Only Pulling In 249 Entries.
Active Directory 2008 R2
Doc ID 1267121.1

Quick Reference - 11g DIP Management Commands Usage and Syntax (Doc ID 889262.1)

No comments:

Post a Comment

Other Posts