Configure ISW => DIP migration, Configure DIP with OUD <=> AD mappings – Part 5.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Note: Mapping is still a work in-progress and will be fully updated once completed.

Below I am continuation on how to migrate from ODSEE, ISW To OUD, DIP.
You can access the other parts here – Part 1, Part 2, Part 3 and Part 4.

Since the migration is quite complex, I am splitting the configuration into separate parts.

This is part 5, Install, Configure ISW => DIP migration, configure OUD <=> AD mappings.

DIP OUD <=> AD Mappings

Note: I am currently working with Oracle on an issue of the cn=changelog not being updated, replication continues to work, however if you check latest changenumber in cn=changelog nothing will show up. this will of curse cause DIP to not push out any updates, since its not seeing any update.

To configure DIP mappings, we first need to gather all the ISW mapping information.
You will need the below information.

From ISW get
Full SUL mappings – ODSEE DN and AD DN, as well as the Filter i.e. cn=* or uid=*.
Create attribute list.
AD => ODSEE attribute list.
ODSEE => AD attribute list.

Once you have all the above collected, we can now move on to the DIP mappings.

To make the migration easier, I will reference and use the DIP included templates.
DIP includes a set of per-defined templates, the location of this mapping files are in

In our case I will be creating 2 DIP profiles an IMPORT and an EXPORT profiles for bi-directional sync, more is explained below.

  1. An IMPORT profile will be used AD =>OUD
    cp $ORACLE_HOME/ldap/odi/conf/activechg*
  2. An EXPORT profile will be used OUD =>AD
    cp $ORACLE_HOME/ldap/odi/conf/activeexport*

I will try to explain a profile layout in comparison to how ISW worked.

Every Profile (export and import) has 2 sections.

Section 1, is the DomainRules / DN Mapping. this is similar to an SUL in ISW
For example an SUL is ISW will be something like the below.
dn: ou=it,ou=people,dc=domain,dc=com
dn: ou=it,ou=users,dc=domain,dc=local

Will translate in a DIP profile DomainRules DN like the below.
Export (OUD=>AD)
Import (AD=>OUD)

Now, all you got a do is adding all your SUL mappings one after the other under the DomainRules in your profile (being import or export).

Section 2, is the AttributeRules / Attribute Mappings. this is similar to an attribute mappings in ISW.
The exception is.
In ISW there were separate mappings for create and separate for sync.
In DIP, create and sync are all the in the same mappings.

An attribute map example is below.

Source fields:
1st filed left is the: Attribute name
filed 2: Indicating a 1 means required filed.
field 3:
field 4: Objectclass (the attribute comes from)
Destination fields:
filed 5: Attribute name
filed 6: Indicating a 1 means required filed.
field 7: Objectclass (the attribute comes from)
field 8: Extra parsing

For example the OU mapping below.
ou: : :organizationalunit:ou: : organizationalunit:
For more mappings details please check the DIP documentation.

Below are the mappings we used.

The Oud2Ad profile consists of 3 files below.

cat activeexp.cfg.master

cat|egrep -v “^$|^#”

The Ad2Oud profile consists of 3 files below.
cat |egrep -v “^$|^#”

cat activechg.cfg.master

cat |egrep -v “^$|^#”

Below are a few Web-UI mapping screen captures (coming soon).
Note: You can do most mapping from the Web UI its just easier to pre-pouplate from the commend line, then modify from the UI if needed.

Initialize DIP mappings

In many instances you would first run the syncProfileBootstrap like the below, this would be the case if your OUD directory is new and has no AD users, you can then use the syncProfileBootstrap to add all this users before the porfile is enabled, or you can just create an ldif file with all this users and add them by using ldapadd.

In our case we are coming from an existing user population, both OUD and AD.
so we couldn’t run the syncProfileBootstrap, instead we mapped manually all the users by adding orcl* objectclass and attributes required by DIP, below is an example.

A typical ISW user will already have the dspswuserlink poupolated with the windows ObjectGuid. all you got a do is copy the data to the new orclObjectGuid attribute, something like the below.

Registering, enabling DIP profiles

The next step we have to do is register and enable the profile, you do so by running the below.

Pre-Populating DIP attributes

ldapmodify -a … -f with the below content will do the trick, you might not need all the attributes to map, the key attributes are orclADObject and orcladuser related attributes.

ISW to DIP attributes side by side explained

For OUD/ODSEE ISW used a set of attributes to keep track of user attribute/password changes, similar DIP uses a set of attributes to keep track.
Some of the common similar attributes/objectclass are blow.

In the article we have completed the Configure Weblogic And DIP instance. In Part 6 will just complete configuring OUD backups.
To continue reading Part 6 click here.

Like what you’re reading? please provide feedback, any feedback is appreciated.

Leave a Reply

Notify of