oracle apps dba blog

Dear Readers,
In this post I will explain how to Integrate Oracle Internet Directory with Microsoft Active Directory in Detail
Pre-requisites
1.Install Oracle Identity Management Suite 10.1.4.0.1-Choose Infrastructure and Metadata Repository option and choose components SSO,ODISRV,AND All the components except Certificate Authroity and HA).
2.Install Windows 2003 Server and Configure Microsoft Active Directory in that Server
3.Bring these Servers in the same network.

Step -I.
Login to the OID Server and invoke dipassistant(oracle directory integration and provisioning admin console) using the following options

$dipassistant -gui
login as dipadmin and password will be the same as of the orcladmin super user which you gave during the installation of OID.

In the dipadmin console from the left pane in System Objects choose Active Directory beneath the icon ConfigurationSet1 and In the right pane You will see the Express Configuration Wizard.

Enter the Active Directory Server information and in credentials enter the Superuser Account
as administrator@ and in the connector name give any reasonable name and
if you press then the Import and export profile prepends the connector name and then
Click the check box Configure Access Control Policies if you want to enforce ACL.and then press OK
to save this information which will start the actual integration.

1. Express Configuration Wizard in dipadmin

On Successfull Integration dipadmin displays a success message which is given as below

Step II- Enable Bidirectional Synchronization in dipadmin for OID to AD
To achieve the bi-directional Synchronization — in dipadmin console choose the configured configset1 in the
left pane(system objects and in the right pane you will see the configured adImport and adExport(since i have given
the connector name as ad).choose those connector profile and edit and Enable those profiles for both export and Import.
If You enable both ,then synchronization of Users is bi-directional(both ways)(i.e from OID to AD and from AD to OID).
you can also note that bootstrap status(which has not started yet). I have given the screenshots below for editing
the connector profiles.

Step-III.
The initial migration of Users from Microsoft Active Directory to Oracle Internet Directory is called “bootstrap” process.
to do the bootstrap we need to execute the command as shown below..

Confirm the bootstrap is successfull by choosing the adImport profile (connector) in the configset1(in the right pane and doing an edit and check the status) which will show you that bootstrap is successfull which i have shown below.

Step IV:-
Now the initial Import of Users from AD to OID is complete.To start the synchronization of Users that are created both in AD and OID we need to start the odiserver(odisrv) with the configuration set 1(the one we have configured with dipadmin) we have use the following command

You can also verify that synchronization has started by editing the profiles and checking the status or by checking odisrvlogs in $ORACLE_HOME/ldap/logs ,you can also find the trc and aud files for these connectors in $ORACLE_HOME/ldap/odi/logs.

Step 5:-
The final step in the configuration process is to deploy the Active Directory External Authentication Plug-in,
which validates user-supplied passwords with AD during a user login sequence.
The following steps involve execution of a Unix shell script.
$ cd $ORACLE_HOME/ldap/admin
$ sh oidspadi.sh
A series of messages and prompts will be displayed as the script executes. Sample prompt responses:
Please enter Active Directory host name: ad.vectorconsulting.co.uk
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string: iasdb
Please enter ODS password: oracleadmin1
Please enter confirmed ODS password: admin01
Please enter OID host name: sso.vectorconsulting.co.uk
Please enter OID port number [389]: 13061
Please enter orcladmin password: oracleadmin01
Please enter confirmed orcladmin password: oracleadmin01
Please enter the subscriber common user search base [orclcommonusersearchbase]: cn=Users,dc=vectorconsulting,dc=co,dc=uk
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]:
Do you want to setup the backup Active Directory for failover? (y/n) n

Return to the Oracle Directory Manager console upon successful completion
of the plug-in deployment process and navigate to the click the Plug-In Management fork.
Make sure that the Plug-in Enable property is set for both adwhencompare and adwhenbind.
Testing
At this point, OID has been populated with an initial set of users and groups via bootstrap migration from Active directory,
and the Oracle Directory Integration and Provisioning tool has been configured such that it will use the Active Directory
Connector to keep this information synchronized. The Oracle Directory Server has been directed to authenticate users
migrated from Active Directory using the Oracle-supplied Active Directory External Authentication
Plug-in. It should now be possible to log in to Oracle SSO or any integrated applications like E-Business Suite using
one of the migrated Active Directory users with its corresponding password.

Note: The username must be of the form name@

Step VI:- open the Oracle Directory Manager and verify that Users are Imported from Active Directory by navigating
to defaut domain and cn=Users and find the users of Active Directory which i have shown below.

Now go to the Windows Active Directory Server and verify that OID users are migrated there which i have shown below

Verifying that orcladmin user(or whatever users in OID is populated in AD)

Step VII. create New Users in AD and verify that user is synchronized with OID.

Here For example i have created a user “vivek rajendran” in Active Directory domain and verified its synchronizing in AD.

Step VIII.

Next Step is to create a test user in OID using oiddas self service webconsole .The screenshots are as follows.

Final Step :–

Trace and Audit Files for the connector(the screenshot is shown below):-

If you have any issues with the synchronization then you can view the aud,trc files above and also verify the log files for the odisrv as shown below(ORACLE_HOME/ldap/odi/log)

I hope You all have understood the Integration of OID with AD and if you have integrated other applications like oracle E-Business suite and if bi-directional provisioning is enabled there — then when you create any user in the E-Business Suite ,
they will be automatically enabled in Windows Active Directory and they will be able to log in as windows desktop Users.

Your Comments,Questions are Welcome.
–Vivek Rajendran