Presented By:

1
Integrating Oracle Portal andMicrosoft Active
Directory
Larry Meets Bill
Presented By Craig Warman - Computer Resource Te
am, Inc. (USA)
2
Paper Section 1
Overview of Whats Ahead
Oracle Portal 10g utilizes Oracle Internet
Directory (OID) as its repository for user
identity management Many organizations, however,
have standardized with Microsoft Active Directory
(AD) to manage user credentials
3
Paper Section 1
Overview of Whats Ahead
This presentation describes how Oracle Directory
Integration and Provisioning can be utilized to
enable synchronization between OID and AD,
including Establishment of Synchronization Profi
les When to modify mapping files Synchronization
startup and "bootstrapping" Deployment of the Or
acle-supplied Active Directory External
Authentication Plug-in Windows Native Authentica
tion for zero sign-on capability (brief
discussion)
4
Paper Section 2
Three-Tier Deployment
5
Paper Section 2
Three-Tier Deployment
ApplicationServer Tier
Client Tier
Database Tier
Customer Database Instance(s)
This collection of application server
installations, infrastructures, and customer
databases is called an Application Server
Enterprise
Infrastructure Providing Centralized Services
Infrastructure Providing Centralized Services
6
Paper Section 2
The Infrastructure Server
A type of 9iAS installation that provides
centralized Security and management services Co
nfiguration information Data repositories It mus
t be installed into its own Oracle Home
In many production installations it resides on
its own physical server
7
Paper Section 2
The Infrastructure Server
Enables users to access multiple accounts and
applications with a single username and password
8
Paper Section 2
The Infrastructure Server
Single Sign-On stores and manages its information
using calls to OID
9
Paper Section 2
The Infrastructure Server
Applications that directly delegate
authentication to the SSO server are known as
Partner Applications Oracle Portal Forms Repor
ts Discoverer
Uses browser-based cookies to help manage user
sessions
10
Paper Section 2
The Infrastructure Server
A Lightweight Directory Access Protocol (LDAP)
compliant directory service
Provides centralized storage of information
about
Users Groups Applications Resources
11
Paper Section 2
The Infrastructure Server
Provides OIDs Information Storage
12
Paper Section 2
The Infrastructure Server
Oracle 9iAS SingleSign-On
Oracle Directory Integration Platform
Enables synchronization between OID and various
third-party directories such as Netegrity,
iPlanet, Microsoft Active Directory, and others
Oracle InternetDirectory
MetadataRepository
13
The Directory Integration and Provisioning (DIP)
Tool
Paper Section 3
Enables synchronization between OID and other
LDAP repositories Includes a connector specifical
ly for one-way or two-way synchronization with
Microsoft Active Directory
So the Oracle-supplied Active Directory External
Authentication Plug-in must be utilized in order
to validate user-supplied passwords behind the
scenes during a user login sequence
Important Note This connector cannot extract pas
swords from the AD repository
14
Active Directory AccountFor Synchronization
Paper Section 4
An Active Directory account capable of reading
user and group profiles must be established for
use by OID DIP during the synchronization process.
Well create and use an account called
OIDTEST_at_crtinc.com with Welcome1 as the password
for this purpose
Additionally, the account must have List Content
and Read Properties permission on the cnDeleted
Objects container so that it can synchronize user
deletions back to OID.
This may be accomplished by granting the account
Domain Administrative privileges, by making it a
member of the Domain Administrators group, or by
granting it Replicate Directory Changes permission
15
Synchronization Profile Creation
Paper Section 5
Invoke the Oracle Directory Integration and
Provisioning Server Administrator console
On Windows Accessed through the Windows Start
menu, under Programs Oracle Infrastructure
(home) Integrated Management Tools Oracle
Directory Integration and Provisioning Server
Administration. On Unix dipassistant -gui Logi
n using the orcladmin account. The Oracle
Directory Integration and Provisioning Server
Administrator console window will appear.
Detailed information about this tool appears in
Chapter 3 of the Oracle Identity Management
Integration Guide, which is available online at
http//download-east.oracle.com/docs/cd/B14099_04/
manage.1012/b14085/diptools.htm
16
Synchronization Profile Creation
Paper Section 5
Select Active Directory Configuration in the
System Objects list on the left-hand side of the
window. An Express Configuration form will appe
ar on the right-hand side of the window.
Heres how to fill in the fields
Click the Apply button once entries are complete.

A confirmation dialogue should then appear
Note that any Connector Name may be supplied (the
value New is shown in this example) the Import
Profile Name and Export Profile Name values are
then generated based on that name.
17
Synchronization Profile Creation
Paper Section 5
Select Configuration Set 1 in the System Objects
list on the left-hand side of the window.
Next, select the Import version of the
newly-created profile on the right-hand side of
the window, and click the Edit button.
18
Synchronization Profile Creation
Paper Section 5
Select Configuration Set 1 in the System Objects
list on the left-hand side of the window.
Next, select the Import version of the
newly-created profile on the right-hand side of
the window, and click the Edit button.
A tabbed window will appear for the
currently-selected profile. The following
changes should be made
Be sure to change the Profile Status to ENABLE
The Scheduling Interval and Maximum Number of
Retries values may be adjusted to determine the
synchronization frequency and maximum number of
retry errors before failure, respectively
19
Synchronization Profile Creation
Paper Section 5
Select Configuration Set 1 in the System Objects
list on the left-hand side of the window.
Next, select the Import version of the
newly-created profile on the right-hand side of
the window, and click the Edit button.
A tabbed window will appear for the
currently-selected profile. The following
changes should be made
The Active Directory account and password may be
modified using the Connected Directory Account
and Connected Directory Account Password
20
Synchronization Profile Creation
Paper Section 5
Select Configuration Set 1 in the System Objects
list on the left-hand side of the window.
Next, select the Import version of the
newly-created profile on the right-hand side of
the window, and click the Edit button.
A tabbed window will appear for the
currently-selected profile. The following
changes should be made
21
Synchronization Profile Creation
Paper Section 5
Select Configuration Set 1 in the System Objects
list on the left-hand side of the window.
Next, select the Import version of the
newly-created profile on the right-hand side of
the window, and click the Edit button.
A tabbed window will appear for the
currently-selected profile. The following
changes should be made
Check this field periodically to ensure that
synchronizations are succeeding
Click the OK button to save any changes
The Bootstrap Status will be set to BOOTSTRAP
SUCCESSFUL after completing the instructions in
this presentation
22
Profile Mapping (optional)
Paper Section 6
If the Active Directory structure used by the
organization is non-standard or complex (such as
one that spans multiple domains or employs an
unusual group hierarchy) then the mapping may
need modification. The Domain Rules in the .map f
ile define the mapping characteristics between AD
and OID. Each rule defines one mapping. A basic
configuration will need only one rule - but if
the mapping is complex then multiple rules may
defined.
Detailed information about mapping files can be
obtained from Metalink note 261342.1, available
online at http//metalink.oracle.com/metalink/pls
ql/ml2_documents.showDocument?p_database_idNOTp
_id261342.1
23
Profile Mapping (optional)
Paper Section 6
The Oracle Directory Integration and Provisioning
Server Administrator generates these files.
They are located in the ldap\odi\conf directory
of the current Oracle Home, and are named such
that they match the profile to which they
correspond
24
Profile Mapping (optional)
Paper Section 6
If the mapping files change then dipassistant
must be invoked from the command line, making
certain to have first set the ORACLE_HOME
environmental variable dipassistant modifyprof
ile-port 13061 -profile NewImport-D
"cnorcladmin" -w admin01odip.profile.mapfileNew
Import.map
Substitute as highlighted
The following message should be displayed
Profile successfully modified.
25
Bootstrap Execution
Paper Section 7
An initial migration of data from AD to OID
(called a "bootstrap") is made by invoking
dipassistant from the command line, making
certain to have first set the ORACLE_HOME
environmental variable dipassistant bootstrap
-port 13061 -profile NewImport-D
"cnorcladmin"-w admin01
Substitute as highlighted
26
Bootstrap Execution
Paper Section 7
Messages similar to the following should be
displayed ------------------------------------
----------- Bootstrapping in progress..... Boots
trapping completed. entries read ..............
....... 125 entries filtered .................
0 entries ignored .................. 0 succe
ssfully processed entries ... 125
failures ......................... 0
Please see the log file for more information.
-----------------------------------------------
Updating the profile's last change number .....
Done.
27
Bootstrap Execution
Paper Section 7
Upon completion of the bootstrap process, return
to the Oracle Directory Integration and
Provisioning Server Administrator console and
click the Refresh button. Select and Edit the cur
rent profile, then check the Status tab to see
that the bootstrap success was recorded
Refresh button
Check here for bootstrap success
28
Bootstrap Execution
Paper Section 7
Invoke the Oracle Directory Manager console to
examine the migrated user and group entries
On Windows Accessed through the Windows Start
menu, under Programs Oracle Infrastructure
(home) Integrated Management Tools Oracle
Directory Manager. On Unix oidadmin Login usin
g the orcladmin account. Migrated user and group
entries appear under the Entry Management fork,
typically starting with dccom and working
backwards through the domain name string
29
Synchronization Startup
Paper Section 8
The directory integration and provisioning server
is started by executing the following from the
command line, making certain to have first set
the ORACLE_HOME environmental variable
oidctl connectiasdb serverodisrv instance2 c
onfigset1 flags"port13061" start
30
Synchronization Startup
Paper Section 8
The directory integration and provisioning server
is started by executing the following from the
command line, making certain to have first set
the ORACLE_HOME environmental variable
oidctl connectiasdb serverodisrv instance2 c
onfigset1 flags"port13061" start
Substitute the SQLnet connect string to the
infrastructure's metadata repository (Oracle
database) here
31
Synchronization Startup
Paper Section 8
Note that these values may need substitution
depending on your particular configuration
The directory integration and provisioning server
is started by executing the following from the
command line, making certain to have first set
the ORACLE_HOME environmental variable
oidctl connectiasdb serverodisrv instance2 c
onfigset1 flags"port13061" start
32
Synchronization Startup
Paper Section 8
The directory integration and provisioning server
is started by executing the following from the
command line, making certain to have first set
the ORACLE_HOME environmental variable
oidctl connectiasdb serverodisrv instance2 c
onfigset1 flags"port13061" start
This process will be maintained by the Oracle Pr
ocess Monitor (OPMN) from this point forward, so
it should not require manual startup/shutdown
beyond this initial deployment.
Refresh button
Check here for synchronization success
33
Profile Configuration Changes (optional)
Paper Section 9
Profile configuration changes may be needed
whenever a long period of time elapses after the
last most recent successful synchronization.
The Oracle Directory Integration and Provisioning
Server Administrator console generates the
configuration file. This file is located in the l
dap\odi\conf directory of the current Oracle
Home, and named such that it matches the profile
to which it corresponds
Detailed information about how and when to modify
this file can be obtained from Metalink note
312691.1, available online at http//metalink.ora
cle.com/metalink/plsql/ml2_documents.showDocument
?p_database_idNOTp_id261342.1
34
Profile Configuration Changes (optional)
Paper Section 9
If the configuration file changes then
dipassistant must be invoked from the command
line, making certain to have first set the
ORACLE_HOME environmental variable
dipassistant modifyprofile-port 13061 -profile
NewImport-D "cnorcladmin" -w
admin01odip.profile.configfileNewImport.cfg
Substitute as highlighted
The following message should be displayed
Profile successfully modified.
35
Active Directory External Authentication Plug-In
Paper Section 10
This plug-in validates user-supplied passwords
with AD "behind the scenes" during a user login
sequence. Important These steps involve executi
on of Unix shell scripts. When installation
takes place on a Windows platform, it will be
necessary to obtain an emulation utility such as
Cygwin.
Detailed information about this process appears
in Chapter 16 of the Oracle Identity Management
Integration Guide, which is available online at
http//download-east.oracle.com/docs/cd/B14099_04/
manage.1012/b14085/odip_actdir.htmCHDIEJEF
Execute the oidspadi.sh script from within the
Unix emulation utility, making certain to have
first set the ORACLE_HOME environmental variable
36
Active Directory External Authentication Plug-In
Paper Section 10
export ORACLE_HOME"d\oracle\infsrv"
Please enter DB connect string iasdb
Please enter ODS password admin01
Please enter confirmed ODS password admin01
Please enter orcladmin password admin01 Please
enter confirmed orcladmin password admin01
Please enter the subscriber common user search b
ase cnUsers,dccrtinc,dccom
Please enter the Plug-in Request Group DN
Please enter the exception entry
property(!(objectclassorcladuser))
Procedure created. No errors. Procedure created.
No errors. No errors. No errors. Registerin
g Plug-ins ... adding new entry cnadwhencompare,
cnplugin,cnsubconfigsubentry
adding new entry cnadwhenbind,cnplugin,cnsubcon
figsubentry -----------------------------------
------------------- Done. ---------------------
---------------------------------
This tells the connector to avoid authenticating
users defined by Oracle (eg. if they didnt get
migrated from Active Directory then dont try to
authenticate them there). Without this it wont
be possible for users such as portal or orcladmin
to log in!
This plug-in validates user-supplied passwords
with AD "behind the scenes" during a user login
sequence. Important These steps involve executi
on of Unix shell scripts. When installation
takes place on a Windows platform, it will be
necessary to obtain an emulation utility such as
Cygwin.
cd ORACLE_HOME/ldap/admin sh oidspadi.sh ------
------------------------------------
OID Active Directory Plug-in Configuration
------------------------------------------
Please make sure Database and OID are up and run
ning. Please enter Active Directory host name
shuttle.crtinc.com Do you want to use SSL to conn
ect to Active Directory? (y/n) n
Please enter Active Directory port number 389
389
Substitute as highlighted
Do you want to setup the backup Active Directory
for failover? (y/n) n
37
Active Directory External Authentication Plug-In
Paper Section 10
Upon completion of the plug-in deployment
process, return to the Oracle Directory Manager
console and navigate to the click the Plug-In
Management fork. Make sure that the Plug-in Ena
ble property is set for both adwhencompare and
adwhenbind
Be sure the Plug-In Enable property is set here
and here.
38
Testing
Paper Section 11
At this point OID has been populated with an ini
tial set of users and groups via bootstrap
migration from Active directory
The Oracle Directory Integration and Provisioning
tool has been configured such that it will use
the Active Directory Connector to keep this
information synchronized. The Oracle Directory
Server has been directed to authenticate users
migrated from Active Directory using the
Oracle-supplied Active Directory External
Authentication Plug-in.
39
Testing
Paper Section 11
It should now be possible to log in to Oracle
Portal using one of the migrated Active Directory
users. Do this by entering the following URL in
to a browser http//machine nameport/pls/
portal
40
Testing
Paper Section 11
It should now be possible to log in to Oracle
Portal using one of the migrated Active Directory
users. Do this by entering the following URL in
to a browser http//machine nameport/pls/
portal
Log in with one of the migrated Active Directory
user accounts, using its current AD password.
Note that the username should be of the form
name_at_ad_domain.com
Substitute as highlighted
41
Windows Native Authentication (WNA)
Paper Section 12
This feature allows users to authenticate with
their desktop credentials when using Internet
Explorer (only) Passes a Kerberos session ticket
through the browser to the Oracle SSO server as a
background operation. The login process is automa
tic - thus sometimes called "Zero Authentication"
Step-by-step setup instructions are provided in
the Windows Native Authentication OBE document,
which is available online at http//www.oracle.com
/technology/obe/obe_as_10g/im/wna/wna.htm
The Active Directory / OID synchronization and
External Authentication configuration steps
outlined in this presentation satisfy the
prerequisites for setting up WNA.
42
Paper Section 12
Summary
This presentation described how Oracle Directory
Integration and Provisioning can be utilized to
enable synchronization between OID and AD,
including Establishment of Synchronization Profi
les When to modify mapping files Synchronization
startup and "bootstrapping" Deployment of the Or
acle-supplied Active Directory External
Authentication Plug-in Windows Native Authentica
tion for zero sign-on capability (brief
discussion)
43
Integrating Oracle Portal andMicrosoft Active
Directory
Presented By Craig Warman - Computer Resource Te
am, Inc. (USA)