Synchronizing eDirectory with Oracle Internet Directory using Identity Manager
This article is a guide for setting up a basic sync between eDirectory and Oracle Internet Directory using Novell Identity Manager and the LDAP driver that can be used for learning and experimenting.
The first part goes through the installation of OID on a Windows Server 2003 SP2 machine.
This article assumes that you already know how to install eDirectory/iManager/Identity Manager/Remote Loader.
Installing Oracle Internet Directory
The installation is pretty straightforward and includes alot of “Next” clicking.
Download the OID components from the Oracle site and decompress them.
You should get two folders:
From the as_windows_x86_oim_oif_101401_disk1 directory run setup.exe
Specify the source and destination directories and click Next.
I choose my E: disk as it had plenty of free space.
If you want to know more about the installation process I recommend you read the OID documentation.
Select Oracle Application Server Infrastructure 10g and click Next.
Select Identity Management and Metadata Repository and click Next.
Confirm Pre-Installation Requirements on the next screen and click Next.
On the next screen select that you want to install Oracle Internet Directory and click Next.
Ignore the other components that are selected in this screenshot, they are selected by mistake.
Select automatic and click Next.
On the next screen we have to specify the new LDAP namespace, as this is a lab install we’ll go with the suggested namespace and click Next.
On the next screen just click Next:
Enter a password on the next screen and click Next:
Remember your password.
On the next screen enter some more information and click Next:
Remember your password and instance name.
Click Install on the summary screen:
During the installation you will be asked to point out the path to the as_windows_x86_oim_oif_101401_disk2 folder.
When the installation is complete take a copy of the information in the Please remember window and click Exit:
Use the following URL to access the Oracle Enterprise Manager 10g Application Server Control Console:
Change the “idm36.idm360.lab” part to your domain name.
ias_admin / the password you entered before
Use the following URL to access the Oracle HTTP Server and the Welcome Page:
Installation of Oracle Application Server Infrastructure is Complete. Please note that any URLs created in this install may not be functional immediately.
Testing the installation
Open a web browser and surf to the URL of Oracle Enterprise Manager 10g Application Server Control Console, you should have it in the Please remeber text that you took a copy of.
In my case it was: http://idm36.idm360.lab:18100
Logon as ias_admin and use the password you specified.
You will see your Oracle application instances.
Click on the instance name and then on the LDAP namespace name:
It will tell you what ports it is using, in my case I’m using 13060 as the clear text LDAP port number for the default instance:
Connect with the OID Manager application
Click on the Start menu button –> All Programs –> Oracle Application Server Infrastructure – oracleas1 –> Integrated Management
Tools –> Oracle Directory Manager
You need to set up a new connection profile. Enter the IP and LDAP port of your OID instance:
Logon as the following user:
Ignore the “cn=orcladmin,cn=Users…” DN in the screenshot, only enter cn=orcladmin
The password is the same as for the ias_admin user.
We’ll be using the Directory Manager later to configure a new SSL enabled instance.
Enabling SSL with Oracle Internet Directory
We want to securely transfer data to and from OID, to do that we need to enable SSL.
Go to Start –> Programs –> Oracle – oracleas1 –> Integrated Management Tools –> Wallet Manager
From the menu click Wallet –> New
Enter a password.
Remember your password.
Right click Certificate:[Empty] –> Add Certificate Request
Enter the information, choose ”Key Size: 2048” and click OK –> OK.
Right click Certificate:[Requested] –> Export Certificate Request
Save the file as OID.CSR
Using iManager to issue a certificate
Logon to iManager
Roles and Tasks –> Novell Certificate Server ? Issue Certificate
Specify the OID.CSR file.
Key type: SSL or TLS Enable extended key usage: Yes Extended key type: Server
Click Next –> Next –> Next
Save to: File in Base64 format
After finishing click the View Objects button in iManager –> Browse
Click on the down arrow next to Security and then on your trees CA object.
Click Modify Object –> Certificates –> select Self Signed Certificate –> Export
Do not export the Private Key.
Export format: BASE46
Save the file.
Back in the Oracle Wallet Manager click Operations –> Import Trusted Certificate
Import the B64 file containing the self signed certificate from your CA. (The last one we saved from iManager)
Your CA name should appear at the bottom of the Trusted Certificates list in the Wallet Manager.
Click Operations –> Import User Certificate
Import the B64 file that was signed by your CA when you ran the Issue Certificate wizard in iManager.
Certficate should now read [Ready].
Click on Wallet –> Save
Click on Wallet –> Auto Login so the bottom of the window reads Autologin enabled.
Start the Oracle Directory Manager if it’s not already running and login as cn=orcladmin.
Under Server Management –> Directory Server –> Right click Configuration Set1 –> Create like
Create a new configuration set named Configuration Set2.
Max. Number of DB Connections: 10
SASL Cipher Choice: des, 3des, rc4-56
Number of Child Processes: 1
Non SSL Port: 1389
Click your new configuration set and select the SSL Settings tab.
In the SSL Wallet URL enter the path to the wallet directory, in my case:
file:C:\Documents and Settings\Administrator.DC-1\ORACLE\WALLETS
SSL Authentication: SSL Server Authentication SSL Enable: SSL only SSL Port: 1636
Configure the OracleServiceORCL to run as the user who created the ”wallet”.
Go to: Start –> Control Panel –> Administrative Tools –> Services
Open the OracleServiceORCL service and click on the Log On tab.
Click ”This account” and select the user that created the wallet, in my case it was the Administrator user in the domain, also type in the password and click OK. Restart the service.
Now that we have created a new SSL enabled instance we need to start it.
Open a command prompt (Start –> Run –> cmd –> OK) and type the following command to start a new instance:
oidctl connect=orcl server=oidldapd instance=2 configset=2 start
If you need to stop the instance you can type:
oidctl connect=orcl server=oidldapd instance=2 configset=2 stop
You can now use the Oracle Enterprise Manager tool to see the status of your instance by surfing to the adress, something like this: http://idm36.idm360.lab:18100
Use a tool such as Apache Directory Studio or ”ldapsearch” to connect to the new instace using SSL and see if it works.
Using your LDAP browser our Directory Manager locate the entry cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=idm360,dc=lab in your DIT and check the cn=default entry below, it should have the attribute orclpwdencryptionenable set to 1 to allow for two-way password synchronization.
If you can’t connect check the logs in Oracle Enterprise Manager that may guide you to the error and maybe a solution.
Setting up the Novell Identity Manager LDAP driver to connect to Oracle Internet Directory.
We’ll start by installing the Remote Loader on our Windows server that is running OID. (This in not necessary depending on your configuration but we’ll do to make it more complicated ;-))
Start the Identity Manager Remote Loader Console from the desktop and click Add.
Enter the following information:
Description: OID LDAP Driver: com.novell.nds.dirxml.driver.ldap.LDAPDriverShim Config File: C:\Novell\RemoteLoader\OIDLDAP-Config.txt IP Address: All Connection Port – Metadirectory Server: 8090 Command Port – Local host communication only: 8000 Remote Loader Password: Remote Driver Object Password: Driver Use an SSL Connection: Select the path to the trusted root file in B64 format that you exported using iManager. Trace Level: 3 Establish a Remote Loader service for this driver instance: Yes
Start the remote loader instance after creating it.
Now when that’s done I’m going to add the LDAP driver to my driver set using iManager.
I’m sure you are confident with the steps for setting up a new driver set and adding a driver so I’ll just list the configuration parameters I used (Change the parameters according to your own needs).
Driver name: OID LDAP Placement Type: Flat eDirectory Container: Choose one that fits your organization LDAP Container: ou=Users2,dc=idm360,dc=lab LDAP Server: 192.168.0.101:1636 LDAP Authentication DN: cn=orcladmin Use SSL: Yes Configure Data Flow: Bi-Directional Driver is Local/Remote: Remote Remote Host Name and Port: 192.168.0.101:8090 Driver Password: Driver Remote Password: Remote Keystore Path: C:\Novell\RemoteLoader\oidcacerts.jks Use SSL Mutual Authentication: No Polling Interval in Seconds: 20 Publication Method: Changelog Entries to Process on Startup: Previously unprocessed
When creating the driver I specified which keystore I wanted to use, now I must create it.
As we still have the exported trusted root certificate we’ll use it to create the keystore.
Open a command prompt and type in the following command:
keytool -import -alias meta -keystore oidcacerts.jks -file orgcacert.b64
You need to specify a password and accept the certificate. When it’s done move it to the directory you specified in the driver configuration.
As we have configured the Remote Loader for SSL we need to alter the driver configuration so it connects using SSL to the Remote Loader, remember that this is not the same as the SSL connection between the driver shim and OID. This is from the Vault server to the server running the Remote Loader which in turn runs the driver shim which connects to OID also using SSL…
In iManager click the driver status button in the upper right corner and then on Edit properties.
Find the Remote loader connection parameters and change the string from hostname=192.168.0.101 port=8090 to
hostname=192.168.0.101 port=8090 kmo="SSL CertificateIP"
and click OK.
The kmo parameter tells it to use the specified certificate to connect to the Remote Loader.
You can also change the trace level under “Misc” to “3”.
Log on to iMonitor on the server running the IDM engine and under the Trace Configuration select Clear All, and then DirXML, DirXML Driver and Trace On, Update, Trace Live.
In my case the URL was https://192.168.0.101:8030
Start the driver and watch the trace in the remote loader and in iMonitor for signs of problems, if everything is set up correctly there shouldn’t be any…
Try to create/modify/delete users in eDirectory and OID to see that the synchronization works as it should. You will notice that you only have one-way password synchronization, from eDirectory to OID and not from OID to eDirectory. This is what you have to do to get two way password synchronization. This information comes from the Cool Solutions article “Using Bi-directional Password Synchronization with Oracle Internet Directory” by Uwe Krause. The original article can be found here:
After you have made sure that the orclpwdencryptionenable attribute is set to “1” as described in this document add these two rules below to your input transformation policy.
On modify of a password in OID they check that the attribute orclrevpwd contains a password and set it in eDirectory. Same thing with an add. You might want to modify your password GCVs, for example I set mine “publish-password-to-dp” (Publish passwords to Distribution Password) to “true”.
You can find out more about OID passwords in the official documentation here:
(16 Directory Storage of Password Verifiers )
<rule> <description>Set password in IDV on modify of authpassword</description> <conditions> <and> <if-operation op="equal">modify</if-operation> <if-class-name op="equal">inetOrgPerson</if-class-name> <if-xpath op="true">contains(modify-attr/@attr-name, 'authpassword')</if-xpath> <if-src-attr mode="regex" name="orclrevpwd" op="equal">.+</if-src-attr> </and> </conditions> <actions> <do-set-dest-password> <arg-string> <token-src-attr name="orclrevpwd"/> </arg-string> </do-set-dest-password> </actions> </rule>
<rule> <description>Add password on add</description> <conditions> <and> <if-operation op="equal">add</if-operation> <if-class-name op="equal">inetOrgPerson</if-class-name> <if-src-attr mode="regex" name="orclrevpwd" op="equal">.+</if-src-attr> </and> </conditions> <actions> <do-set-dest-password> <arg-string> <token-src-attr name="orclrevpwd"/> </arg-string> </do-set-dest-password> </actions> </rule>
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.