How to migrate data from ActiveDirectory to OID
PURPOSE=======
To show how the date can be migrated from Windows AD to Oracle IM server.
SCOPE & APPLICATION===================
This note is for Oracle Apps administrator and Developer
Create an AD Import Synchronization Profiles
The AD Import Synchronization profile maintains configuration information like AD Host, AD Port, the AD user / group entry mapping to OID entry,
Mapping File Preparation
Directory synchronization requires identifying and mapping user containers from AD to OID. The mapping files specify the rules for generating OID entries from AD entries and specification for generating OID user entry attribute values from one or multiple attributes.
Cell’s AD Directory information tree contains user containers for each business unit. It is necessary to identify all user containers in AD that map to the user container in OID.
A mapping rule specification contains “Domain Rules” and “Attribute Rules” sections. The domain rules specify user container mapping. The attribute rules section will specify user entry attribute mapping – either a straight copy or a composite generation of attribute values from multiple attribute values.
The Domain Rule mapping specification used for development environment is, for example:
OU=Pilot Users,OU=Pilot,OU=Business Units,DC=Celldev,DC=dev,DC=bce,DC=ca : cn=Users,dc=Cellnet,dc=Cell,dc=ca: cn=%,cn=Users,dc=Cellnet,dc=Cell,dc=ca
The above rule specifies the OU=Pilot Users will map to the OID user container cn=Users.
AD attributes OID Attributes Additional Information
ObjectGUID OrclADUser : OrclobjectGUID Indexed
ObjectSID OrclADUser : OrclobjectSID
OrganizationalUnit : ou OrganizationalUnit : ou
User : SAMAccountName OrclContainer : cn
Domain : dc Domain : dc
User : userPrincipalName OrclADUser : orclUserPrincipalName
InetOrgPerson : orclUserPrincipalName
OrclUserV2 : krbPrincipalName Optional in OID. Mandatory for WNA
If empty, use “SamAccountName” concated to string “@Cell.corp.bce.la”
User : SAMAccountName OrclADUser : OrclSAMAccountName
Person : sn Indexed, Mandatory
If empty, use “userPrincipalName” attribute value from AD with truncation after “@” character.
Person : givenName OrclUserV2 : displayName
For Managing Large Mapping Files
The schema attribute of the DIP profile that stores the mapping file contents is “orclODIPAttributeMappingRules”. This attribute is of type “Directory String” and its possible to exceed the size constraints when attempting to store large size of data, viz. mapping rules in this case. Modify the type to be “Binary” to accommodate large mapping files.
Upload Mapping AD Import Profile
For Oracle 10g Identity Management provides an out-of-the-box Active Directory Integration profile for IMPORT and EXPORT of directory information. Cell environments will be configured for IMPORT only.
Use the “dipassistant” command to setup the IMPORT “ActiveChgImp” profile. For additional information on the command refer to the “
dipassistant mp
-host $OID_HOST -port $OID_PORT
-D $OID_BIND_DN -passwd $OID_BIND_PWD \
-profile ActiveChgImp \
odip.profile.syncmode=IMPORT \
odip.profile.status=DISABLE \
odip.profile.schedinterval=60 \
odip.profile.retry= 5 \
odip.profile.condiraccount="$AD_BIND_DN" \
odip.profile.condirpassword=$AD_BIND_PWD \
odip.profile.condirurl=$AD_HOST_FQDN_1":"$AD_HOST_PORT \
odip.profile.interface=LDAP \
odip.profile.condirfilter='searchfilter=(&(objectclass=user)(!(objectclass=computer)))' \
odip.profile.oidfilter=orclObjectGUID \
odip.profile.mapfile=<mapping file absolute path>
Configure ODISrv:
Use the following to install a DIP server entry:
oidctl connect=<tnsnames entry to Security DB> \
server=odisrv \
instance=2 \
configset=1 \
flags=”host=<oid virtual hostname> port=389 debug=00” \
start
To de-install DIP server use the command
oidctl connect=<tnsnames entry to Security DB> \
server=odisrv \
instance=2 \
stop
The DIP server entry install is to be done once. The DIP server itself could be started/stopped by using opmnctl commands:
opmnctl stopproc ias-component=OID
opmnctl startproc ias-component=OID
Bootstrap OID Using AD Import Profile
Bootstrap from AD to OID is done using the configured profile. The bootstrap process will check OID for corresponding entry for an AD user. If missing, bootstrap process will create one using the mapping rule specified in the profile. Existing OID entries will not be touched by bootstrapping process.
Use the following command to bootstrap:
dipassistant bootstrap \
-host $OID_HOST -port $OID_PORT \
-dn "$OID_BIND_DN" -passwd $OID_BIND_PWD \
-profile ActiveChgImp
