Configure ISW => DIP migration, Configure DIP with OUD <=> AD mappings – Part 5.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Note: Mapping is still a work in-progress and will be fully updated once completed.

Below I am continuation on how to migrate from ODSEE, ISW To OUD, DIP.
You can access the other parts here – Part 1, Part 2, Part 3 and Part 4.

Since the migration is quite complex, I am splitting the configuration into separate parts.

This is part 5, Install, Configure ISW => DIP migration, configure OUD <=> AD mappings.

DIP OUD <=> AD Mappings

Note: I am currently working with Oracle on an issue of the cn=changelog not being updated, replication continues to work, however if you check latest changenumber in cn=changelog nothing will show up. this will of curse cause DIP to not push out any updates, since its not seeing any update.

To configure DIP mappings, we first need to gather all the ISW mapping information.
You will need the below information.

From ISW get
Full SUL mappings – ODSEE DN and AD DN, as well as the Filter i.e. cn=* or uid=*.
Create attribute list.
AD => ODSEE attribute list.
ODSEE => AD attribute list.

Once you have all the above collected, we can now move on to the DIP mappings.

To make the migration easier, I will reference and use the DIP included templates.
DIP includes a set of per-defined templates, the location of this mapping files are in
$ORACLE_HOME/ldap/odi/conf/*

In our case I will be creating 2 DIP profiles an IMPORT and an EXPORT profiles for bi-directional sync, more is explained below.

  1. An IMPORT profile will be used AD =>OUD
    cp $ORACLE_HOME/ldap/odi/conf/activechg*
  2. An EXPORT profile will be used OUD =>AD
    cp $ORACLE_HOME/ldap/odi/conf/activeexport*

I will try to explain a profile layout in comparison to how ISW worked.

Every Profile (export and import) has 2 sections.

Section 1, is the DomainRules / DN Mapping. this is similar to an SUL in ISW
For example an SUL is ISW will be something like the below.
ODSEE:
dn: ou=it,ou=people,dc=domain,dc=com
Filter
uid=*
AD:
dn: ou=it,ou=users,dc=domain,dc=local
Filter
cn=*

Will translate in a DIP profile DomainRules DN like the below.
Export (OUD=>AD)
ou=it,ou=people,dc=domain,dc=com:ou=it,ou=users,dc=domain,dc=local:cn=%ou=it,ou=users,dc=domain,dc=local
Import (AD=>OUD)
ou=it,ou=users,dc=domain,dc=local:ou=it,ou=people,dc=domain,dc=com:uid=%ou=it,ou=people,dc=domain,dc=com

Now, all you got a do is adding all your SUL mappings one after the other under the DomainRules in your profile (being import or export).

Section 2, is the AttributeRules / Attribute Mappings. this is similar to an attribute mappings in ISW.
The exception is.
In ISW there were separate mappings for create and separate for sync.
VS
In DIP, create and sync are all the in the same mappings.

An attribute map example is below.

Source fields:
1st filed left is the: Attribute name
filed 2: Indicating a 1 means required filed.
field 3:
field 4: Objectclass (the attribute comes from)
Destination fields:
filed 5: Attribute name
filed 6: Indicating a 1 means required filed.
field 7: Objectclass (the attribute comes from)
field 8: Extra parsing

For example the OU mapping below.
ou: : :organizationalunit:ou: : organizationalunit:
For more mappings details please check the DIP documentation.

Below are the mappings we used.

The Oud2Ad profile consists of 3 files below.

cat activeexport.properties|egrep -v "^$|^#"
odip.profile.name = Oud2Ad
odip.profile.status = DISABLE
odip.profile.syncmode = EXPORT
odip.profile.retry = 5
odip.profile.schedinterval = 60
odip.profile.condirurl = ad1.domain.local:636:2
odip.profile.condiraccount = CN=Admin1,OU=Admin Accounts,DC=domain,DC=local
odip.profile.interface = LDAP
odip.profile.configfile = activeexp.cfg.master
odip.profile.mapfile = activeexp.map.master
odip.profile.lastchgnum = 0
odip.profile.version = 4.0
odip.profile.debuglevel = 0
odip.profile.interface = LDAP
odip.profile.directorytype=ACTIVEDIRECTORY
odip.profile.updateChangeNumberatCreate = TRUE

cat activeexp.cfg.master

[INTERFACEDETAILS]
Writer: oracle.ldap.odip.gsi.ActiveWriter
SkipErrorToSyncNextChange: false
SearchDeltaSize: 500
UpdateSearchCount: 100

cat activeexp.map.master|egrep -v “^$|^#”

DomainRules
ou=it,ou=people,dc=domain,dc=com:ou=it,ou=users,dc=domain,dc=local:cn=%ou=it,ou=users,dc=domain,dc=local
# Add all other SUL Mapping here
AttributeRules
ou: : :organizationalunit:ou: : organizationalunit:
cn: : :orclcontainer: cn: :Container:
cn:1: :inetorgperson:cn: :User:
uid:1: :inetorgperson:SAMAccountName: :User:
mail: : :inetorgperson:UserPrincipalName: :User:
givenName: : :inetorgperson:givenname: :user:
sn: : :person:sn: :user:
displayName: : :inetorgperson:displayName: :user:
employeenumber: : :inetorgperson:employeeNumber: :user:
mail: : :inetorgperson:mail: :user:
departmentnumber: : :inetorgperson:departmentnumber: :user:
physicaldeliveryofficename: : :organizationalperson:physicaldeliveryofficename: :user:
manager: : :inetorgperson:manager: :user:
telephoneNumber: : :inetorgperson:telephoneNumber: :user:
title: : :inetorgperson:title: :user:
orclodiptranslatepassword: : : : unicodepwd : : user : passwordtranslate(orclodiptranslatepassword)
cn: : :person:useraccountcontrol: :user:"544"
cn: : :groupofuniquenames:cn: :group:
displayname: : :orclgroup:SAMAccountName: :group:
uniquemember: : :groupofuniquenames:member: :group:

The Ad2Oud profile consists of 3 files below.
cat activechgimp.properties |egrep -v “^$|^#”

odip.profile.name = Ad2Oud
odip.profile.status = DISABLE
odip.profile.syncmode = IMPORT
odip.profile.retry = 5
odip.profile.schedinterval = 60
odip.profile.condirurl = ad1.domain.local:636:2
odip.profile.condiraccount = CN=Admin1,OU=Admin Accounts,DC=domain,DC=local
odip.profile.interface = LDAP
odip.profile.configfile = activechg.cfg.master
odip.profile.mapfile = activechg.map.master
odip.profile.oidfilter = orclObjectGUID
odip.profile.lastchgnum = 0
odip.profile.version = 4.0
odip.profile.debuglevel = 0
odip.profile.interface = LDAP
odip.profile.directorytype=ACTIVEDIRECTORY
odip.profile.updateChangeNumberatCreate = TRUE

cat activechg.cfg.master

[INTERFACEDETAILS]
Reader: oracle.ldap.odip.gsi.ActiveChgReader
SkipErrorToSyncNextChange: false
SearchDeltaSize: 500
UpdateSearchCount: 100

cat activechg.map.master |egrep -v “^$|^#”

person This file contains the sample map rules. There can be warnings as part of mapping rules validation.
DomainRules
ou=it,ou=users,dc=domain,dc=local:ou=it,ou=people,dc=domain,dc=com:uid=%ou=it,ou=people,dc=domain,dc=com
# Add all other SUL Mapping here
AttributeRules
objectguid: :binary:top:orclobjectguid:string:orclADObject:bin2b64(objectguid)
ObjectSID: :binary:user:orclObjectSID:string:orclADObject:bin2b64(ObjectSID)
distinguishedName: : :top:orclSourceObjectDN: :orclADObject:
ou: : :organizationalunit:ou: : organizationalunit:
cn: : :container: cn: :orclContainer:
dc: : :domain: dc: :domain:
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
sAMAccountName:1: :user:uid: :inetorgperson:
userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
cn: : :person:cn: :person:
sn: : :user:sn: :person:
departmentNumber: : :inetorgperson:departmentnumber: :inetorgperson:
displayName: : :user:displayName: :person:
givenName: : :user:givenName: :inetorgperson:
employeenumber: : :user:employeeNumber: :inetOrgPerson:
physicalDeliveryOfficeName: : :user:physicalDeliveryOfficeName: :inetorgperson:
title: : :user:title: :inetorgperson:
telephonenumber: : :user:telephonenumber: :inetorgperson:
facsimileTelephoneNumber: : :organizationalperson:facsimileTelephoneNumber: :inetorgperson:
userPrincipalName: : :user:mail: :inetorgperson:
cn: : :group:cn: :groupofuniquenames:
Description: : :group:Description: :groupOfUniqueNames:
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup:
SAMAccountName: : :group:displayName: :orclgroup:
member: : :group:uniquemember: :groupofUniqueNames:
managedby: : :group:owner: :groupOfUniqueNames:
pwdLastSet : : : user : orclODIPPwdLastSet : : top : onDemandPassword(pwdLastSet)

Below are a few Web-UI mapping screen captures (coming soon).
Note: You can do most mapping from the Web UI its just easier to pre-pouplate from the commend line, then modify from the UI if needed.

Initialize DIP mappings

In many instances you would first run the syncProfileBootstrap like the below, this would be the case if your OUD directory is new and has no AD users, you can then use the syncProfileBootstrap to add all this users before the porfile is enabled, or you can just create an ldif file with all this users and add them by using ldapadd.

/oud/Oracle/Middleware/Oracle_Home/bin/syncProfileBootstrap -h dip1.domain.com -p 7005 -D admin -pf Ad2Oud

In our case we are coming from an existing user population, both OUD and AD.
so we couldn’t run the syncProfileBootstrap, instead we mapped manually all the users by adding orcl* objectclass and attributes required by DIP, below is an example.

A typical ISW user will already have the dspswuserlink poupolated with the windows ObjectGuid. all you got a do is copy the data to the new orclObjectGuid attribute, something like the below.

From
dspswuserlink;binary:: 5t9XUw0yRU6vyhz5LAyFKw==
To
orclObjectGuid: 5t9XUw0yRU6vyhz5LAyFKw==

Registering, enabling DIP profiles

The next step we have to do is register and enable the profile, you do so by running the below.

# Register the profiles
# Ad2Oud profile
/oud/Oracle/Middleware/Oracle_Home/bin/manageSyncProfiles register -h dip1.domain.com -p 7005 -D admin -f activechgimp.properties

# Oud2Ad profile
/oud/Oracle/Middleware/Oracle_Home/bin/manageSyncProfiles register -h dip1.domain.com -p 7005 -D admin -f activeexport.properties

# Activate the profiles.
/oud/Oracle/Middleware/Oracle_Home/bin/manageSyncProfiles activate -h dip1.domain.com -p 7005 -D admin -pf Ad2Oud
/oud/Oracle/Middleware/Oracle_Home/bin/manageSyncProfiles activate -h dip1.domain.com -p 7005 -D admin -pf Oud2Ad

# Associate the Profiles
/oud/Oracle/Middleware/Oracle_Home/bin/manageSyncProfiles associateProfile -h dip1.domain.com -p 7005 -D admin -pf Oud2Ad -assopf Ad2Oud
/oud/Oracle/Middleware/Oracle_Home/bin/manageSyncProfiles associateProfile -h dip1.domain.com -p 7005 -D admin -pf Ad2Oud -assopf Oud2Ad

Pre-Populating DIP attributes

ldapmodify -a … -f with the below content will do the trick, you might not need all the attributes to map, the key attributes are orclADObject and orcladuser related attributes.

dn: uid=user1,OU=IT,ou=people,o=domain.com,dc=org,dc=com
changetype: modify
add: objectClass
objectClass: orclADObject
-
add: objectClass
objectClass: orcluserv2
-
add: objectClass
objectClass: orcladuser
-
add: orclSAMAccountName
orclSAMAccountName: DOMAIN.COM$user1
-
add: orclObjectSid
orclObjectSid: AQUAAAAAAAUVAAAAXXDyb21sQuLTXRMLDQsAAA==
-
add: orclSourceObjectDN
orclSourceObjectDN: CN=first last,OU=IT,OU=USERS,DC=domain,DC=local
-
add: orclUserPrincipalName
orclUserPrincipalName: user1@domain.com
-
add: krbPrincipalName
krbPrincipalName: user1@domain.com
-
add: orclObjectGuid
orclObjectGuid: RO5TkqldQkeoMbbSAou8xA==

ISW to DIP attributes side by side explained

For OUD/ODSEE ISW used a set of attributes to keep track of user attribute/password changes, similar DIP uses a set of attributes to keep track.
Some of the common similar attributes/objectclass are blow.

ISW
        dspswuserlink;binary:: 5t9XUw0yRU6vyhz5LAyFKw==
        objectClass: dspswuser
        dspswvalidate: true

DIP
        orclObjectSid: AQUAAAAAAAUVAAAAXXDyb21sQuLTXRML3Q4AAA==
        orclObjectGuid: 5t9XUw0yRU6vyhz5LAyFKw==
        orclUserPrincipalName: usera@domain.com
        orclSAMAccountName: DOMAIN.COM$usera
        orclSourceObjectDN: CN=First Last,OU=IT,OU=USERS,DC=domain,DC=local
        objectClass: orclADObject
        objectClass: orcluserv2
        objectClass: orcladuser

        orclODIPInvalidPassword: true
        orclODIPPwdLastSet: 131745195683593412

In the article we have completed the Configure Weblogic And DIP instance. In Part 6 will just complete configuring OUD backups.
To continue reading Part 6 click here.

Like what you’re reading? please provide feedback, any feedback is appreciated.

Leave a Reply

avatar
3000
  Subscribe  
Notify of