Oracle Internet Directory Administrator's Guide Release 9.2 Part Number A96574-01 |
|
This chapter discusses synchronization, which uses the first of the two types of integration profiles--namely, the directory synchronization profile. This profile provides the configuration information necessary to make Oracle Internet Directory and connected directories consistent.
This chapter discusses the synchronization profiles and connectors that link Oracle Internet Directory and connected directories. It contains these topics:
See Also:
"Oracle Directory Provisioning Integration Service" for a discussion of the second type of integration profile, called a provisioning integration profile, which identifies the data and methods for notifying an application of changes in user or group data |
This section contains these topics:
In the Oracle Directory Integration Platform, a connector represents a prepackaged connectivity solution between Oracle Internet Directory and a connected directory. Minimally, it consists of a connector profile, called a directory integration profile. This profile contains all the configuration information required to synchronize Oracle Internet Directory and a connected directory.
If the connected directory can use one of the interfaces supported by the Oracle Directory Integration Platform for exchanging data, then a connector requires only a directory integration profile for synchronization to occur. One example is the iPlanet connector provided with Oracle Internet Directory. Because Oracle Internet Directory and iPlanet Directory can synchronize by using the LDAP interface, the iPlanet connector consists simply of a pre-packaged directory integration profile.
If a connected directory cannot use one of the interfaces supported by the Oracle Directory Integration Platform, then, in addition to the directory integration profile, it requires an agent. The agent transforms the data from one of the formats supported by the Oracle Directory Integration Platform into one supported by the connected directory. An example is the Oracle Human Resources connector. It has both a prepackaged integration profile and an Oracle Human Resources agent. The agent uses the tagged file format supported by the Oracle Directory Integration Platform to communicate with Oracle Internet Directory, and it uses SQL (through an OCI interface) to communicate with the Oracle Human Resources system.
Synchronization can occur from a connected directory to Oracle Internet Directory, from Oracle Internet Directory to a connected directory, or both.
A numbered entry is stored in the change log container for each change to Oracle Internet Directory. Each time the Oracle Directory Synchronization Service processes a synchronization profile, it:
The appropriate entries or attributes are then updated in that connected directory. (If it does not use PL/SQL, LDAP, tagged, or LDIF formats directly, then the connector identified in its profile is invoked.) The last log number successfully used is then stored in the profile.
Oracle Internet Directory periodically purges the change log after all profiles have used what they need, and identifies where subsequent synchronization should begin.
When a connected directory uses PL/SQL, LDAP, tagged, or LDIF formats directly, changes to its entries or attributes are automatically synchronized by the Oracle Directory Synchronization Service. Otherwise, the connector identified in its synchronization profile must write the changes to an export file in tagged or LDIF format. The Oracle Directory Synchronization Service then uses this file of connected directory data to update Oracle Internet Directory.
Some connected directories cannot receive data by using any of the interfaces supported by Oracle Internet Directory. The profiles for this type of directory contain an attribute identifying a separate program for synchronization. This program, called an agent, translates between the connected directory's specialized format and a tagged or LDIF file containing the synchronization data. The Oracle Directory Synchronization Service invokes the agent identified in the profile to perform the synchronization.
When exporting data from Oracle Internet Directory for import into this type of connected directory, the Oracle Directory Synchronization Service creates the necessary file in the tagged or LDIF format. The agent then reads that file, translates it into the correct format for the receiving connected directory, and stores the data in that directory.
When exporting data from this type of connected directory for import into Oracle Internet Directory, the agent creates the necessary tagged or LDIF format file. The Oracle Directory Synchronization Service then uses this file data to update the Oracle Internet Directory.
A directory integration profile for synchronization is called a directory synchronization profile. It contains all the configuration information required for synchronization including:
One part of the configuration information has to do with the direction of the synchronization. Some connected directories only receive data from Oracle Internet Directory, others only supply data to it, and some do both. A separate profile is used for each direction--that is, one profile for information coming into Oracle Internet Directory, and another for information going from Oracle Internet Directory to the connected directories.
Another part of the configuration information has to do with the type of interface to be used. Some connected directories can receive data in any of the interfaces built into the Oracle Directory Integration Platform. These interfaces now include PL/SQL, LDAP, tagged, and LDIF. For these connected directories, the Oracle Directory Synchronization Service performs the synchronization itself, directly, using the information stored in the profile.
The directory synchronization profile also stores such information as the name and type of an agent, how and when to invoke it, and the mapping information required for synchronizing entries and attributes.
Changes requiring synchronization can occur in Oracle Internet Directory or in a connected directory. The Oracle Directory Synchronization Service periodically checks each profile, comparing its last successful update time and change number against the contents of the change log. When as-yet-unsynchronized changes are found, the Oracle Directory Synchronization Service initiates synchronization. Import and export operations for Oracle Internet Directory are handled directly by the Oracle directory integration server. If synchronization with a particular connected directory requires an agent, then that need is specified in the profile and the agent is automatically invoked.
Before deploying a connector, you register it in Oracle Internet Directory. This registration involves creating a directory synchronization profile, which is stored as an entry in the directory. To create it, you can use either Oracle Directory Manager or command-line tools, as described in subsequent sections of this chapter.
Most of the information needed to synchronize the data with the connected directory--such as account name, password, host name, port number--is stored in the synchronization profile. However, if the connector execution requires any additional information, it can be stored in the orclOdipAgentConfigInfo attribute of the synchronization profile entry.
oSee Also:
"Additional Connector Configuration Information" for information about the orclOdipAgentConfigInfo attribute |
Attributes in a synchronization profile entry belong to the object class orclodiProfile. The only exception is the orcllastappliedchangenumber
attribute, which belongs to the object class orclchangesubscriber
.
The Object Identifier prefix 2.16.840.1.113894.7
is assigned to platform-related classes and attributes. Table 28-1 lists all the attributes in the Oracle Directory Integration Platform profile.
Attribute | Description |
---|---|
General Information |
|
ProfileName (orclOdipAgentName) |
Name of the integration profile. |
ProfileStatus (orclOdipAgentControl) |
Indicator whether the profile is enabled or disabled. |
Profile Password (orclOdipProfilePassword) |
The password used by the profile to bind to Oracle Internet Directory. In case of import, the changes are made as with profilename as the identity. |
SynchronizationMode (orclOdipSynchronizationMode) |
Either of the following: |
SchedulingInterval (orclOdipSchedulingInterval) |
The interval with which the connector synchronizes. |
Number of Retries (orclodipSyncRetryCount) |
Maximum number of times the agent or synchronization is attempted in case of failure. By default, the Oracle directory integration server tries the synchronization a maximum of 10 times. The first retry takes place 1 minute after the first failure, the second retry happens 2 minutes after the second failure and, subsequently, the n-th retry takes place n minutes after the n-th failure. |
ProfileVersion (orclVersion) |
Identifier indicating the integration profile version. It has a value of 1.0. If this field has a value other than 1.0, the profile is not processed. |
Execution Information |
|
AgentExecutionCommand (orclodipAgentExeCommand) |
Connector executable name and argument list used by the directory integration server. It can be passed as a command-line argument when the connector is invoked. See Also: Chapter 33, "Synchronization with Oracle Human Resources" for typical usage of passing it in the command-line |
ConnectedDirectory Account (orclOdipConDirAccessAccount) |
Valid user account in the connected directory to be used by the connector for synchronization. For instance, for the Iplanet synchronization connector, it is the valid binddn in the iPlanet directory. For Hragent, it is a valid user identifier in the Oracle Human Resources database. For other connectors, it can be passed as a command-line argument when the connector is invoked. See Also: Chapter 33, "Synchronization with Oracle Human Resources" for typical usage of passing it in the command-line |
ConnectedDirectory AccountPassword |
Password to be used by the user identifier specified in the |
Connected Directory URL |
Connect details required to connect to the connected directory. In the case of iPlanet synchronization, this parameter refers to the host name and port number as |
Interface Type (orclodipDataInterfaceType) |
The data format or protocol used in synchronization. Supported values are:
|
Additional Config Info (orclOdipAgentConfigInfo) |
Any additional configuration information that needs to be passed onto the connector. When the connector is scheduled for execution, the value of the attribute is stored in the file, |
Mapping Information |
|
Attribute Mapping Rules (orclOdipAttributeMappingRules) |
Mapping rules for converting data from a connected directory to Oracle Internet Directory. This information is stored as a binary attribute. See Also:
|
ConnectedDirectoryMatchingFilter (orclOdipConDirMatchingFilter) |
Attribute to select changes to Oracle Internet Directory that are to be applied to the connected directory |
OIDMatchingFilter (orclOdipOIDMatchingFilter) |
Attribute to select changes to the connected directory that are to be applied to Oracle Internet Directory |
Status Information |
|
LastExecutionTime (orclOdipLastExecutionTime) |
Time when synchronization was last carried out. Its format is dd-mon-yyyy hh:mm:ss, where hh is the time of day in 24-hour format. |
LastSuccessfulExecutionTime (orclOdipLastSuccessfulExecutionTime) |
Time of the last successful synchronization, in the format dd-mon-yyyy hh:mm:ss, where hh is the hour in 24-hour format. |
Synchronization Status ( |
Synchronization status of the last execution: Success or failure. |
SynchronizationError (orclodipSynchronizationErrors) |
Reason for failure if last execution failed |
Con Dir Last Applied Change Num ( |
For import operations, the last change from the connected directory that was applied to Oracle Internet Directory |
OIDLastAppliedChangeNumber (orclOdipLastAppliedChgNum) |
For export operations, the last change from Oracle Internet Directory that was applied to the connected directory |
The various synchronization profile entries in the directory are created under the container cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
. For example, a connector called OracleHRAgent is stored in the directory as
orclodipagentname=OracleHRAgent,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
.
Although the synchronization profile stores most of the information needed by a connector to synchronize Oracle Internet Directory with connected directories, some connectors may need more. This is because some operations might require additional configuration information at runtime.
You can store such additional connector configuration information wherever and however you want. However, the Oracle Directory Integration Platform enables you to store it in the synchronization profile as an attribute called orclODIPAgentConfigInfo
. Its use is optional--that is, if a connector does not require such information, then the corresponding attribute in the synchronization profile is simply left empty. If such information would be useful, you can load it into this attribute by using the script named oidmuplf.sh. The type and format of the data stored in the additional configuration information attribute are determined by each executable's needs.
This configuration information can pertain to the connector, the connected directory, or both. Oracle Internet Directory and Oracle directory integration server do not read or modify this information. When the connector is invoked, the Oracle directory integration server simply provides it with the information in this attribute, as a temporary file.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
See Also:
"Location and Naming of Files" for the names of these files |
In a directory synchronization environment, a typical set of entries from one domain can be moved to another domain. Similarly, a set of attributes can be mapped onto another set of attributes.
Mapping rules are the entities that govern the conversion of attributes between a connected directory and Oracle Internet Directory. Each connector stores a set of these rules in the orclodipAttributeMappingRules attribute of its synchronization profile. The Oracle directory integration server uses these rules to map attributes as needed when exporting from the directory and interpreting data imported from a connected directory or file. When the Oracle directory integration server imports changes into Oracle Internet Directory, it converts the connected directory's change record into an LDAP change record following the mapping rules. Similarly, during export, the connector translates Oracle Internet Directory changes to the format understood by the connected directory.
The mapping rules attribute provides a means of specifying domain level mapping and attribute level mapping. It can be assumed to be in the format of a file as described in this section.
Mapping rules are organized in a fixed tabular format, and you must follow that format carefully. Each set of mapping rules appears between a line containing only the word DomainRules and a line containing only the characters ###
. The fields within each rule are delimited by a colon (:).
DomainRulessrcDomainName1
: [
dstDomainName1
]: [
DomainMappingRule1
]
srcDomainName2
: [
dstDomainName2
]: [
DomainMappingRule2
]
AttributeRulessrcAttrName1
:[
ReqAttrSeq
]:[
SrcAttrType
]:[
SrcObjectClass
]:
[dstAttrName1
]:[
DstAttrType
]:[
DstObjectClass
]:
[AttrMappingRule1
]
srcAttrName2
: [
ReqAttrSeq
]:[
SrcAttrType
]: [
SrcObjectClass
]:[
dstAttrName2
]:[
DstAttrType
]:
[DstObjectClass
]:[
AttrMappingRule2
]
###
where the expansion of each srcAttrName1
and srcAttrName2
would be a single, unfolded long line.
The domain rule specifications appear after a line containing only the keyword DomainRules
. Each domain rule is represented with the components, separated by colons, that are described in Table 28-2.
The attribute rule specifications appear after a line containing only the keyword AttributeRules
. Each attribute rule is represented with the components, separated by colons, and described in Table 28-3. The attribute rule specifications end with a line containing only the characters ###
.
In a newly created synchronization profile, mapping rules are empty. To enter mapping rules, edit a file that strictly follows the correct format.
Here is an example of a mapping file for importing from the Oracle Human Resources database tables by using the tagged-file interface. This example of a file is supplied during installation, at
$
ORACLE_HOME
/ldap/odi/conf/oraclehragent.map.master
.
DomainRules
NONLDAP:dc=metaagt,dc=com:uid=%dc=metaagt,dc=com
AttributeRules
firstname: : : :cn: :person
email : : : :cn: :person: trunc(email,'@')
email : : : :uid: :person:trunc(email,'@')
firstname,lastname: : : :cn: :person: firstname+","+lastname
lastname,firstname: : : :cn: :person: lastname+","+firstname
firstname,lastname: : : :sn: :person: lastname | firstname
EmployeeNumber: : : :employeenumber: :inetOrgperson
EMail: : : :mail: :inetOrgperson
TelephoneNumber1: : : :telephonenumber: :person
TelephoneNumber2: : : :telephonenumber: :person
TelephoneNumber3: : : :telephonenumber: :person
Address1: : : :postaladdress: :person
state: : : :st: :locality
street1: : : :street: :locality
zip: : : :postalcode: :locality
town_or_city: : : :l: :locality
Title: : : :title: :organizationalperson
#Sex: : : :sex: :person
###
As described earlier, the mapping file consists of keywords and a set of domain and attribute mapping rule entries. The mapping file in this example contains the domain rule NONLDAP:dc=metaagt,dc=com:cn=%,dc=metaagt,dc=com
. This rule implies that the source domain is NonLDAP--that is, there is no source domain.
The destination domain (:dc=metaagt,dc=com
) implies that all the directory entries this profile deals with are in the domain dc=metaagt,dc=com
.
The DomainMappingRule (:uid=%,dc=metaagt,dc=com
) implies that the data from the source should refer to the entry in the directory with the DN, which is constructed using this domain mapping rule. In this case, uid
must be one of the destination attributes which should always have a non-null value. If any data corresponding to an entry to be synchronized has a null value, then the mapping engine assumes that the entry is invalid and proceeds to the next entry. To identify the entry correctly in the directory, it is also necessary that uid
should be a single-valued attribute.
In some cases, the RDN of the DN needs to be constructed by using the name of a multivalued attribute. For example, to construct an entry with the DN of cn=%,l=%,dc=metaagt,dc=com
, where cn
is a multivalued attribute, the DomainMappingRule can be of this form: rdn,l=%,dc=metaagt,dc=com
where rdn
is one of the destination attributes having a non-null value. A typical mapping file supporting this could have the following form:
DomainRules NONLDAP:dc=metaagt,dc=com:rdn,l=%,dc=metaagt,dc=com AttributeRules firstname: : : :cn: :person email : : : :cn: :person: trunc(email,'@') email : : : :rdn: :person: 'cn='+trunc(email,'@') firstname,lastname: : : :cn: :person: firstname+","+lastname lastname,firstname: : : :cn: :person: lastname+","+firstname firstname,lastname: : : :sn: :person: lastname | firstname EmployeeNumber: : : :employeenumber: :inetOrgperson EMail: : : :mail: :inetOrgperson TelephoneNumber1: : : :telephonenumber: :person TelephoneNumber2: : : :telephonenumber: :person TelephoneNumber3: : : :telephonenumber: :person Address1: : : :postaladdress: :person Address1: : : :postaladdress: :person Address1: : : :postaladdress: :person state: : : :st: :locality street1: : : :street: :locality zip: : : :postalcode: :locality town_or_city: : : :l: :locality Title: : : :title: :organizationalperson #Sex: : : :sex: :person ###
In the attribute mapping rule, firstname: : : :cn: : person, these explanations apply:
SrcAttrName - firstname (Name of the original attribute )
ReqAttrSeq : empty (If the attr is not found, you can still continue with mapping )
SrcAttrType: empty (Not required )
SrcObjectClass: empty (Not required)
DstAttrName : cn (Name of the attr as it appears in Oracle Internet Directory )
DstAttrType: empty (Not required)
DstObjectClass : person. Object class to which the attribute belongs to - it is mandatory while using a Import with Tagged File interface.
Similarly, the rule e-mail: : : :cn: : person: trunc(email,'@')
implies applying the mapping rule of truncating all the characters off of e-mail
and get the remaining as cn
.
You can customize mapping rules by adding new ones, modifying the existing ones or deleting the existing ones by modifying the file. If the mapping rules are not available in a file, the attribute value can be downloaded to the file by using ldapsearch as described in "ldapsearch Syntax". The entry to be searched for is orclodipagentname=
ProfileName
,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
for the attribute orclodipattributemappingrules
.
Mapping rules are flexible: They can include both one-to-many and many-to-one mappings.
One attribute in a connected directory can map to many attributes in Oracle Internet Directory. For example, suppose an attribute in the connected directory is Address:123 Main Street/MyTown, MyState 12345
. You can map this attribute in Oracle Internet Directory to both the LDAP attribute homeAddress
and the LDAP attribute postalAddress
.
Multiple attributes in a connected directory can map to one attribute in Oracle Internet Directory. For example, suppose that the Oracle Human Resources directory represents Anne Smith by using two attributes: firstname=Anne
and lastname=Smith
. You can map these two attributes to one attribute in Oracle Internet Directory: cn=Anne Smith
.
See Also:
"Default Oracle Human Resources Connector Mapping Rules" for an example of mapping rules |
You can customize mapping rules by adding new ones, modifying existing ones, or deleting some from the mapping rule set specified in the orclodipAttributeMappingRules
attribute. In general, to perform any of these operations, you identify the file containing the mapping rules, or store the value of the attribute for a file by using an ldapsearch command as described in "ldapsearch Syntax".
OrclodipAttributeMappingRules
is a single valued attribute in the directory and it must follow a fixed format. You cannot edit the mapping rules in Oracle Directory Manager. Instead, mapping rules are stored in a file that you upload to the directory as a value of the attribute. To upload the mapping file, use the utility oidmuplf.sh. Once you have created and uploaded the mapping file, you can maintain a copy of it in the $
ORACLE_HOME/ldap/odi/conf
directory, and upload it again after any future update.
To add a new entry to the mapping rules file, edit this file and add a record to it. To do this:
After you identify an entry to be modified in the mapping rules file, generate the mapping rule element for the desired conversion of attribute values. Then use the oidmuplf.sh tool to load the attribute mapping rule file into the synchronization profile.
After you identify an entry to be deleted in the mapping rules file, you can either delete the entry from the file or comment it out by putting a hash mark (#) in front of it. Then use the oidmuplf.sh tool to load the attribute mapping rule file into the synchronization profile.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
Table 28-4 tells you where to find the various files and what names to use:
For example, the datafile name of the Oracle Human Resources agent is oraclehrprofile.dat
.
This section contains these topics:
This section tells you how to register and deregister a profile by using Oracle Directory Manager.
Oracle Directory Manager enables you to register a profile in one of two ways:
To register a profile:
Field | Description |
---|---|
Mapping Rules |
This field displays the mapping rules for converting data between a connected directory and Oracle Internet Directory. There is no default. Note: You cannot edit the mapping rules file by using Oracle Directory Manager. You edit the mapping rules in a file manually and then upload it to the profile by using the provided script, |
OIDMatchingRule |
Specify the attribute that uniquely identifies records in Oracle Internet Directory. This attribute is used as a key to synchronize Oracle Internet Directory and the connected directory. This field is optional. |
ConnectedDirectorymatchingRule |
Specify the attribute that uniquely identifies an entry in the connected directory. |
To delete a connector:
This section tells you how to register and deregister profiles. It contains these topics:
You can create a synchronization profile by using the command-line tool oidmcrep.sh. This tool is in the directory $
ORACLE_HOME
/ldap/admin/
.
You can deregister a synchronization profile by using the command-line tool oidmdelp.sh. This tool is in the directory $
ORACLE_HOME
/ldap/admin/
.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
|
Copyright © 1999, 2002 Oracle Corporation. All Rights Reserved. |
|