Identify the steps required to configure the DIP for directory synchronization. At the time of this writing the GUI Oracle ships with 11g is a pieace of shit and doesn't work correctly. It flags things that are invalid, when in fact, they are vaild and I highly recommend you avoid the GUI and use the command lines to setup intergration between OID and Active directory (or any directory for that matter)
Part I: Directory setup
Be sure prior to completing this document you have followed Oracle note 1203271.1 and have correctly provisioned service accounts in both OID & AD that have the appropriate permissions. I would recommend creating a new account and giving those user “administrative” permissions since they need to touch about every part of the directory.
Part II: Modify DIP configuration files
First step in configuration the DIP process is to be sure the A) DIP properties file is correct and B) The directory mapping file is correct. This post will not focus on how theses files should be configure, however if you wish to learn more you can review Oracle note 859177.1.
Part III: Configure keystore
In order to use SSL with the DIP process we must first configure the example.jks file to contain all the certificates public keys used by both AD & OID.
Create an empty keystore:
keytool -genkey -alias foo -keystore example.jks
keytool -delete -alias foo -keystore example.jks Next import the various public key’s used by OID for SSL:
keytool -import -trustcacerts -alias "example" -file public-key.cer -keystore example.jks -storepass <password>
Next register the keystore with weblogic from the same server were OID is installed:
manageDIPServerConfig set -attr keystorelocation -val /app/infra/certs/example.jks -h localhost -p 7005 -wlsuser weblogic
Set the password within weblogic:
$ORACLE_HOME/common/bin/wlst.sh
connect ('weblogic', '<password>', 't3://localhost:7001')
createCred(map="dip", key="jksKey", user="jksuser", password="<password>")
At this point the setup should be complete. We will want to test the profile connection within EM once we have the profile registered (Since that is the only think in EM that appears to work correctly)
Part IV: Create DIP Profile & Mapping in OID
Once you have the configuration files as desired the next step is to load both the ExampleExport.profile and ExampleExport.map configurations into OID. This can be accomplished by execute the following commands:
manageSyncProfiles register -h localhost -p 7005 -D weblogic -f /app/infra/wl-home/Oracle_IDM/ldap/odi/conf/EXAMPLE/ExampleExport.profile
followed by a validation check:
manageSyncProfiles validateProfile -h localhost -p 7005 -D weblogic -pf ExampleProfile
At this point the profile exist is registered in OID and can be acceded through EM (It may show it as invaild when it is not). Be default the profile was NOT enabled. When you are at a point where you feel comfortable enabling it (IE ready to move to the new target directory) enabled the profile with the following command:
manageSyncProfiles activate -h localhost -p 7005 -D weblogic -pf ExampleProfile -fa true
However, prior to doing that please sure you have boot-strapped the directory first before enabling the profile
Part V: Bootstrap Directory
syncProfileBootstrap -host 10.98.0.9 -port 7005 -D weblogic -profile ActiveImport_Groexample -lp 5
At this point you should also enable the profile
No comments:
Post a Comment