Thursday, August 28, 2008

Oracle 10g SSO Integration with E-Biz - Implementation-2

Now we are going to modify import connector profile so that we can import users from AD to OID.
1. Create the “mapping rules” listed her and save to a file named “”
OU=OU_MYUSERS,DC=corp,DC=mygrp,DC=com:cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com:
# attribute rule common to all objects
objectguid: :binary: :orclobjectguid:string: :bin2b64(objectguid)
ObjectSID: :binary: :orclObjectSID:string: :bin2b64(ObjectSID)
distinguishedName: : : :orclSourceObjectDN: :orclADObject
# attribute rule for mapping windows organizationalunit
ou: : :organizationalunit:ou: : organizationalunit
# attribute rule for mapping directory containers
cn: : :container: cn: :orclContainer
# attribute rule for mapping directordomains
dc: : :domain: dc: :domain
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:sAMAccountNametrunc(userPrincipalName,'@')
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
samAccountName,userPrincipalName: : :user:uid: :inetorgperson:sAMAccountNametrunc(userPrincipalName,'@')
# Assign the userprincipalname to Kerberos principalname
# userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,
samAccountName: : :user:krbPrincipalName: :orcluserv2:samAccountName+'@'+'DOMAINNAME.COM'
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
sn,SAMAccountName: : :person:sn: : person:snSAMAccountName
# attributes to map to cn - normally this is the given name
cn: : :person:cn: :person:
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
givenName: : :user:displayName: :inetorgperson:
employeeID: : :user:employeeNumber: :inetOrgPerson:
physicalDeliveryOfficeName: : :user:physicalDeliveryOfficeName: :organizationalPerson:
title: : :user:title: :organizationalPerson:
mobile: : :organizationalperson:mobile: :inetorgperson:
telephonenumber: : :organizationalperson:telephonenumber: :inetorgperson:
facsimileTelephoneNumber: : :organizationalperson:facsimileTelephoneNumber: :inetorgperson:
l: : :user:l: :organizationalperson:
# mail needs to be assigned valid value for default settings in DAS
userPrincipalName: : :user:mail: :inetorgperson:
cn: : :group:cn: :groupofuniquenames:
# displayname needs to be assigned a valid value for default settings on DAS
SAMAccountName: : :group:displayName: :orclgroup:
# Description needs tobe assigned a valid value for default settings on DAS
Description: : :group:Description: :groupOfUniqueNames:
member: : :group:uniquemember: :groupofUniqueNames:
managedby: : :group:owner: :orclprivilegegroup:
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup:
2. Create the “Import Profile Configuration” listed here and save to a file named “ActiveChgImp.cfg”
Package: gsi
Reader: ActiveChgReader
SkipErrorToSyncNextChange: true
SearchDeltaSize: 500
3. Replace the “-h” OID host and “-p” port in the command below and execute:

$ORACLE_HOME/bin/dipassistant modifyprofile \
-h \
-p 389 \
-D cn=orcladmin \
-w \
-profile ActiveChgImp \
odip.profile.condiraccount="ADUSERname" \
odip.profile.condirpassword= \
odip.profile.condirurl="activedirectoryhostname:389" \
odip.profile.configfile="ActiveChgImp.cfg" \
odip.profile.condirfilter="((objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))" \
4. On the IDM host where OID component is installed, replace the “-h” OID host and “-p” port in the command below and execute:

$ORACLE_HOME/bin/dipassistant bootstrap \
-h \
-p \
-D “cn=orcladmin” \
-w \
-profile ActiveChgImp

Check the bootstrap log file located in $ORACLE_HOME/ldap/odi/log directory for errors. If no errors Vola you are done importing all users in OID.

Watch out my next post for modifying ActiveChgImp profile. As it has some new steps in IDM version

Happy Troubleshooting !!!

No comments: