AD to OID synchronization

Hi,
We are trying to integrate Oracle AS 10g (10.1.2)OID with Microsoft Active directory.
The DN of AD is as follows
CN=lastname\,firstname MI, dc=contractors,cn=users,dc=ad,dc=xyz,dc=com.
We want similar DIT in OID also except that for CN we want Employee id, since this is used for logging into the portal
For bootstrapping i am using the following domain mapping rule
OU=Contractors,cn=users,dc=ad,dc=xyz,dc=com:OU=Contractors,cn=users,dc=ad,dc=xyz,dc=com
I am getting all the users with the same DN as in AD. But i need CN=Employeeid
To get that i modified the domain rule as follows
OU=Contractors,cn=users,dc=ad,dc=xyz,dc=com:OU=Contractors,cn=users,dc=ad,dc=xyz,dc=com:cn=%,OU=Contractors,cn=users,dc=ad,dc=xyz,dc=com
In attribute rules i mentined the following rule
SamAccountName: : : :user:cn: :person:
but I am getting following error
ERROR: [Fri Dec 09 12:15:27 EST 2005] Writer Thread - 0 - Error occurred while loading - cn=e304335,ou=contractors,cn=users,dc=ad,dc=honeywell-tsi,dc=com
ERROR: [Fri Dec 09 12:15:27 EST 2005] Writer Thread - 0 - [LDAP: error code 32 - Parent entry not found in the directory.]
Is there anyway to map the cn values?
My aim is to get the following DN in OID
cn=EmployeeId,DC=Contractor,dc=ad,dc=honeywell-tsi,dc=com
The DN is AD is
cn=lastname/,firstname,DC=Contractor,dc=ad,dc=honeywell-tsi,dc=com
Any help is highly appreciated
Thanks

Similar Messages

Sun Directory Server and OID Synchronization

I'm having a problem with synchronizing OID with our existing Sun Directory Server. This is a one way synchronization, using Sun DS as the source, and OID as the destination. I've successfully installed OID with SSL enabled (this is part of an Oracle Portal installation), and followed what docs I could find. I created an integration profile based off the iPlanet Import profile, and imported a custom mapping profile based off a differing DIT naming convention (o=company.com vs dc=company,dc=com). I have applied an ACI that should allow the synchronization profile user to update entries on the OID side, and a user in Sun DS that has access to the appropriate areas on that side. I was able to successfully bootstrap and import all of our users, and it was also able modify the last changelog number.
Having said all of that, incremental changes aren't propagating to OID. I'm not sure where to look or what steps to take to troubleshoot this, as I'm brand new to OID. There's an agent execution command that is blank in the integration profile, but according to what I've found that's the default and is acceptable.
Am I missing a step here? According to the docs, all I need to do is enable the profile, and away it goes.
One last thing I had to do to overcome an issue with the changelog number not updating was adding our internal root ca's certificate to the local JVM's cacerts file. I accomplished this with the keytool command, and it seemed to work fine. I'm unsure if it's the SSL config that is hosed and is causing this, or if it's a configuration parameter I'm missing.. but I don't have anywhere to start as far as troubleshooting is concerned.

On your integration profile, did you set the debug level to 63? You should have a _____.aud and a _____.trc file in your $ORACLE_HOME/ldap/odi/log directory that will provide more info. Did you start your DIP server (odisrv) with the oidctl command?
You might also look at downloading the "diptester" utility for troubleshooting OID synchronization issues.
- Brian

AD OID synchronization Update profile

Hello everyone;
We have success installed oid (10...) and ad, have success configured ad to oid synchronization...
but now we change mapping file, for example, now email builds from other attributes, but previously synchronized users not changing theirs mails, only new added users have 'normal' email.
how resync users for update their emails, without bulkdelete?
thanks,
jeff

Bulkmodify, perhaps?
Bottom line is you cannot change your sync profile and get it to update existing OID entries (previously synced from AD).
Another option would be using an ldif file. Creating ldif file(s) is not that difficult, it would be something like:
dn: cn=[your OID mapping]
changetype: modify
replace: mail
mail: [email protected]
dn: cn=[next entry, blank line above is needed!]
You can create these, using ldapsearch -h [your MS DC name] -p 3268 -Z [smart conditions here]
Load using ldapmodify

AD OID Synchronization searchfilter issue (help needed)

Hi,
I am trying to Synchronize AD and OID. I am running into an issues where users are being populated both in groups and users containers in OID even though I specified my
searchfilter to put users under cn=users and groups under cn=groups. Following are the serch filters I am using and looks like it's not working. I want my users to be in cn=Users and groups in cn=Groups, but some how
I always keep getting the users being populated in cn=groups and cn=users.
Group filter:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(!(objectclass=user)(!(objectclass=computer))))
User filter:
searchfilter=(|(objectclass=user)(objectclass=organizationalunit)(!(objectclass=group)(!(objectclass=computer))))Following are my Attribute Rules that I have both in group and user profiles:
AttributeRules
# attribute rule for mapping windows organizationalunit
ou: : :organizationalunit:ou: : organizationalunit
objectguid: :binary:organizationalunit:orclobjectguid: : organizationalunit:bin2b64(objectguid)
# attribute rule for mapping directory containers
cn: : :container: cn: :orclContainer
objectguid: :binary:container: orclobjectguid: :orclContainer:bin2b64(objectguid)
# attribute rule for mapping directordomains
dc: : :domain: dc: :domain
# USER ENTRY MAPPING RULES
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
# Map the SamAccountName to the nickname attr if required
# If this rule is enabled, userprincipalname rule needs to be disabled
#sAMAccountName: : :user:uid: :inetorgperson
# Assign the userprincipalname to Kerberaos principalname
userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
SAMAccountName: : :user:sn: : person
# attributes to map to cn - normally this is the given name
#name: : :person:displayname: :inetorgperson
cn: : :person:cn: :person
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
givenName: : :person:displayName: :orclUserV2
# mail needs to be assigned valid value for default settings ing DAS
userPrincipalName: : :user:mail: :inetorgperson
mobile: : :organizationalperson:mobile: :inetorgperson
ObjectGUID:1:binary:user:orclObjectGUID: :orclADUser:bin2b64(ObjectGUID)
ObjectSID: :binary:user:orclObjectSID: :orclADUser:bin2b64(ObjectSID)
# GROUP ENTRY MAPPING RULES
#name: : :organizationalunit:ou: : organizationalunit
#name: : :container: cn: :orclContainer
#name: : :domain: dc: :domain
cn: : :group:cn: :groupofuniquenames
# displayname needs to be assigned a valid value for default settings on DAS
SAMAccountName: : :group:displayName: :orclgroup
# Description needs tobe assigned a valid value for default settings on DAS
Description: : :group:Description: :orclgroup
member: : :group:uniquemember: :groupofUniqueNames
managedby: : :group:owner: :orclprivilegegroup
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup
ObjectGUID: :binary:group:orclObjectGUID: :orclADGroup:bin2b64(ObjectGUID)
ObjectSID: :binary:group:orclObjectSID: :orclADGroup:bin2b64(ObjectSID)Any help is appreciated. For example I see my userid being under cn=groups and cn=users both, even though I am user not a group.
Thanks

Hi WhiteSox!
I wounder if you ever solved this?
I guess that
Group filter:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(!(objectclass=user)(!(objectclass=computer))))
User filter:
searchfilter=(|(objectclass=user)(objectclass=organizationalunit)(!(objectclass=group)(!(objectclass=computer))))
in both searchfilters you do search for the organizationalunit with a logical OR. as both users and groups can have this attribute they migth end up there.
I have to confess that I have struggled lately with the searchfilters as I am now on a AD-OID sync project.
cu
Andreas

AD-OID Synchronization with groups

Hi,
I've successfully synchronized users form AD to OID
Groups are also well integrated but there is an attribute that is not
properly synchronized from AD to OID. I have created a group with its users in
AD. The group and all users are reachable from OID. However, in OID there is no
relation between the users and the group they belong to. That is,the attribute
uniquemember of the group is empty in OID.
In the mapping file, the corresponding rules are well stablished:
member: : :group:uniquemember: :groupofUniqueNames
Does anybody know why the uniquemember attribute is empty?
Thanks in advance,
Cristina

Hello Cristina:
Hope you would be able to get your uniquemember mapping working by now.
I was able to do so using the out-of-box mapping provided by OID with AD.
However, I have a different problem while synching the AD groups with OID groups.
Let me try and explain my problem in more detail:
AD DIT:
cn=sd_groups,ou=sandiego,ou=sites,dc=mycompany,dc=com
OID DIT:
cn=groups,dc=mycompany,dc=com
In the process of syncing when the groups are brought over from AD to OID the uniquemember (members of the groups) also comes over. But when I try to delegate this group users it does not see those users (which has come over from AD) as they follow a totally different DIT as mentioned above. However, to mimic the DIT as in AD on the OID side. I tried to add an organizationalunit into the OID realm and it errors out. In other words that did not work.
It would be really nice to hear from someone who has done a similar implementation.
And also would be interested in hearing if somebody has done an export of groups and users into AD from OID.
Thanks,
Himanshu

OID and MS Active Directory Synchronization

Hi,
I've read that these 2 LDAP services can be synchronized with the "Active Directory Connector" SO does this mean that if users and groups are stored in the MS active directory it is possible to have the users and groups synchronized with the OID so that these are available directly in Oracle Portal or do they still need to be added manually somehow into portal ??
Thanks in advance,
Brandon

You can find documentation at :
- http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics01.htm
- http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm
- Note 267153.1 (How To Setup OID Synchronization with Microsoft Active Directory Quick Start Guide) with related docs
Best regards,
Nicolas StiÃ©venard

OID 10.1.4_ synchronization AD- OID errors

Hello, i have installed infrastructure from Oracle Identity Management 10.1.4.x package. on ibm aix.
now im configuring AD -> OID synchronization, im create profile from activechg.map.master file and edit @DomainRules@ like
ou=mycustom,dc=company,dc=com:cn=ad,cn=users,dc=company,dc=com
in active directory nodes looks like
ou=mycustom,dc=company,dc=com
ou=users,ou=mycustom,dc=company,dc=com
ou=groups,ou=mycustom,dc=company,dc=com
ou=corp1,ou=mycustom,dc=company,dc=com
ou=users,ou=corp1,ou=mycustom,dc=company,dc=com
ou=groups,ou=corp1,ou=mycustom,dc=company,dc=com
in oid dc looks like
dc=company,dc=com
and after synchronization i must have in oid structure
ou=users,cn=ad,cn=users,dc=company,dc=com
ou=groups,cn=ad,cn=users,dc=company,dc=com
ou=corp1,cn=ad,cn=users,dc=company,dc=com
ou=users,ou=corp1,cn=ad,cn=users,dc=company,dc=com
ou=groups,ou=corp1,cn=ad,cn=users,dc=company,dc=com
but in $oracle_home/ldap/odi/log/bootstrap.log
ERROR: [Wed Feb 09 14:52:22 CST 2011] Writer Thread - 0 - Error occurred while loading - cn=someuser,ou=users,cn=ad,cn=users,dc=company,dc=com
ERROR: [Wed Feb 09 14:52:22 CST 2011] Writer Thread - 0 - [LDAP: error code 32 - Parent entry not found in the directory.]
... and so on
but when im manualy create node ou=users under cn=ad,cn=users,dc=company,dc=com all users have successfully synchronized for this node
and then i catch next error
ERROR: [Wed Feb 09 12:15:31 CST 2011] Writer Thread - 0 - Error occurred while loading - ou=users,cn=ad,cn=users,dc=company,dc=com]
ERROR: [Wed Feb 09 12:15:31 CST 2011] Writer Thread - 0 - [LDAP: error code 68 - Object already exists]
i dont want always create new node manualy in OID before synchronization...
i remember in infrastructure from 10.1.2.0.2 package, i have no problem for that moment...
external ad authentication works fine...

in bootstrap.log founded next error:
ERROR: ODIException: [LDAP: error code 12 - 00002040: SvcErr: DSID-031401E0, problem 5010 (UNAVAIL_EXTENSION), data 0
at oracle.ldap.odip.bootstrap.ReaderFactory$FactoryLDAPReader.nextRecord(ReaderFactory.java:517)
at oracle.ldap.odip.bootstrap.ODIBootstrap$ReaderThread.run(ODIBootstrap.java:975)
entries read in bootstrap operation: 249
im now try to check which version of Windows Server installed... because it looks like MetaLink note 1275017.1

How to setup OID to synchronize with 2nd AD server

Hi there,
We are currently using OAS 10g (10.1.2.0.2)
We have configured OID to synchronize 1 way with 1 AD domain server on Global catalog port.
Now I have a 2nd AD domain server which we need to pull in the user accounts and synchronize any changes to these accounts into the same OID.
I have created a new integration profile in ODM to synchronzie accounts from 2nd domain server.
I have successfully pulled in the AD user accounts from the 2nd AD domain into OID by bootstrapping using the properties file method(only this method works, the usual bootstrap command without properties file doesnt work at all).
But after pulling in the AD accounts from 2nd domain server, the synchronization profile for the 2nd AD domain doesnt synchronize any changes in user account nor any new user created at 2nd domain end.
Have checked the synchronization profile trace file but could not find any thing wrong.
The new integration profile which was created for the 2nd AD domain is using the same "Connected Direcotory URL" as all the other profiles that we have for the 1st AD domain.
Can someone advise what is wrong with my OID synchronization process for the 2nd AD domain?
Any help to point me in the right direction would be appreciated.
(running out of time!).
Cheers
Jim

Thanks for your relpy.
Do I require a separate AD admin account on the 2nd AD server in order to perform the ldapbind? or can I use the same AD admin account from the 1st AD server which I'm currently using on OID to sync with the 1st AD server?
Cheers
Peng Soon

OID - Sun Synchronization

I have set up a one-way synch between OID & Sun, here Sun is the source.
The synchronization has been successful except in this scenario:
When we add a new user in Sun, the user gets added in OID, but SOME of the attributes of the newly added user is either mapping to wrong attribute, or is empty, or is repeated with the right value and the wrong/unwanted value.
For eg:
middlename     1208293793684 (unwanted & mapped wrongly)
middlename     middle
activationdate     20080415000000
activationdate     Y (unwanted & mapped wrongly)
However, when we bootstrap, the attributes are getting mapped as required.
The mapping of the middlename is as follows:
middlename: : :<custom_obj_class>:middlename: :<custom_obj_class>
Any help regarding this?

On your integration profile, did you set the debug level to 63? You should have a _____.aud and a _____.trc file in your $ORACLE_HOME/ldap/odi/log directory that will provide more info. Did you start your DIP server (odisrv) with the oidctl command?
You might also look at downloading the "diptester" utility for troubleshooting OID synchronization issues.
- Brian

OID can not display some users - java.lang.ArrayIndexOutOfBoundsException:0

We have set up AD to OID synchronization for users and groups using Import connector, and it worked fine. The users in OID can log into applications protected by OAM. But recently I found that some users that could be displayed in OID before can not be displayed now. If I click on the DN in Oracle Directory Manager, a error window pops up. It is a long error message, and the first a few lines are as follows :
0
java.lang.ArrayIndexOutOfBoundsException:0
at oracle.ldap.admin.AttrOptions.<init>(entry.jave:3151)
at Oracle.ldap.admin.Entry.getProp(entry.java:457)
I don't see any error message in the integration profile or log files. I am testing things on an account that is having this trouble, and the strange thing is that it can not log into application protected by OAM any more, but it can log into OAM console.
We use OID 10.1.2.3 on Windows, and OAM 10.1.4.0.1.
I searched in Metalink but didn't find anything helpful. Any help is appreciated. Thanks for your time.
Hailie

Pramod,
Thank you for your reply. Please see below my answers to your questions:
-> Do you see any pattern in the users (DN) that are unable to be displayed/login?
Yes I do see some pattern. There is one change on the problem user's dn - the "\" after the last name is gone.
Before: cn=smith\, john, cn=users,dc=abc,dc=com
Now: cn=smith, john, cn=users,dc=abc,dc=com
However I check in Active directory "\" is presented. In OID if I right click on cn=smith, john and try to delete it, I got a error message "LDAP: error code 34 - Error in DN Normalization". Is that caused by the missing of "\"?
-> Does ldapsearch on these users (with all attributes) show something (special chars, etc)?
ldapsearch on cn=cn=smith, john,cn=users,dc=abc,dc=com returns no objects:
$ldapsearch -L -D "cn=orcladmin" -w "*****" -h host -p 389 -b "cn=smith, john,cn=users,dc=abc,dc=com" -s sub "objectclass=*"
ldap_search: No such object
ldap_search: matched: cn=Users, dc=abc,dc=com
Ldap search on cn=smith\, john,cn=users,dc=abc,dc=com:
$ldapsearch -L -D "cn=orcladmin" -w "*****" -h host -p 389 -b "cn=smith\, john,cn=users,dc=abc,dc=com" -s sub "objectclass=*"
dn: cn="smith, john",cn=users,dc=abc,dc=com
uid: [email protected]
employeenumber: 916963
cn: smith, john
registeredaddress: 512
krbprincipalname: [email protected]
orclsamaccountname: ABC.COM$JSmith
sn: johnsmith
displayname: John
orclobjectguid: lJO0N+8H4UW/30yHukSfsw==
orclobjectsid: AQUAAAAAAAUVAAAAohxTYWIV3XFeP55cYjwAAA==
orcluserprincipalname: [email protected]
objectclass: oblixorgperson
objectclass: inetorgperson
objectclass: orcluserv2
objectclass: person
objectclass: orcladuser
objectclass: organizationalPerson
objectclass: top
obver: 10.1.4.0
-> Do you see the same behavior when you use any generic LDAP browser (Ex: Apache Directory Studio) instead of ODM?
I don't have Apache Directory Studio installed yet. I will try that later.
-> Does the changelog for the particular synch (for the affected users) show something?
Here is what I found in ActiveChgImp.aud
(weeks ago)
97426524 : Success : MODIFY : cn=smith\, john,cn=users,dc=abc,dc=com
(Recently change - The back slach after smith was gone, and "" showed up)
97469970 : Success : MODIFY : cn="smith, john",cn=users,dc=abc,dc=com
-> If login to OAM is possible, can the user modify his/her profile, and does it save the changes? If it does, can you try logging in to apps?
This user can log into OAM identity system, but when I click on "My profile" under "User manager", I got a error message "You do not have sufficient access rights".
If I log into identity system as orcladmin, I was able to modify it and save the changes. But in OID the user is still not displayed. Same error message. When I tried to add it as administrator, I could search on it, add it, but when I press "done", it didn't show up on the admin list. The users that can be displayed in OID can be added to admin list without a problem.
Thanks,
Hailie

How to configure OID with ADS in windows 2003

Hi all,
The requirement here is I have to integrate the ADS with OID
from ADS to OID synchronization.
The users we are created in ADS has to sync with OID external authentication.
I need the installation docs to configure the above setup.
if any one has the document could you please share your knowledge with me.
Thanks in advance
Regards
Raja

Here is the link
http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
and
http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/e10528/odip_actdir.htm#CHDBBAII

AD-OID synchronisation Agent Execution Successful, Mapping/IMPORT operati

Hi
We are trying the AD-OID synchronization,using ActiveImport profile.
The bootstrap is successful. But synchronization status is Agent Execution Successful, Mapping/IMPORT operation Failure.
Attaching the trace file for import :
LDAP Connection success
Writer Initialised!!
MapEngine Initialised!!
Filter Initialised!!
searchF :
searchF : objectclass=*
[LDAP: error code 12 - 00000057: LdapErr: DSID-0C09065D, comment: Error processing control, data 0, vece]
ActiveImport:Error in Mapping EngineODIException: DIP_GEN_SEARCH_EXCEPTION
ODIException: DIP_GEN_SEARCH_EXCEPTION
     at oracle.ldap.odip.gsi.ActiveReader.searchChanges(ActiveReader.java:303)
     at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:395)
     at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:278)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:165)
ActiveImport:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20070117121046
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Failure During Search
Ending Mapping execution.
null
Error in proxy connection : ODIException: DIP_GEN_AUTHENTICATION_FAILURE
ODIException: DIP_GEN_AUTHENTICATION_FAILURE
     at oracle.ldap.odip.gsi.LDAPConnector.proxyConnectAs(LDAPConnector.java:350)
     at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentThread.java:607)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:208)
Updated Attributes
orclodipLastExecutionTime: 20070117121047
orclOdipSynchronizationStatus: Agent Execution Successful, Mapping/IMPORT operation Failure
orclOdipSynchronizationErrors: Agent Execution Successful, Mapping/IMPORT operation Failure
null
Error in updating the statusODIException: DIP_GEN_AUTHENTICATION_FAILURE
ODIException: DIP_GEN_AUTHENTICATION_FAILURE
     at oracle.ldap.odip.gsi.LDAPConnector.proxyConnectAs(LDAPConnector.java:350)
     at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentThread.java:680)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:208)
Please help us to solve this issue.
we have one more issue.We used ActiveChgImp synchronization profiles for synchronization. But the profile ActiveChgImp deleted by mistake. Can create that profile (ActiveChgImp) one more time using createprofile, if so what prop_file I need to give for creating this?
Thanks in advance

You can use
$ORACLE_HOME\ldap\odi\conf\backup\activechg.map.master to recreate activechgimp profile.
DIP_GEN_SEARCH_EXCEPTION error is generic error. Try setting high debug level to generate more details.

Using dnconvert() on manager attribute in a mapping file for AD-OID synch

I was just curious - has anyone tried using dnconvert() on the manager attribute for Active Directory - OID synchronization?
Example: manager: : :person:manager: :inetorgperson:dnconvert(manager)
Is that the way to bring over who an employee reports to (in our case, for use in Oracle Portal) or is there a better solution?

Surely, we're not the only ones trying to map employees' Managers from AD to OID? :-)

How to create Portal/OID groups from AD OUs and keep them sync'd?

We are currently doing a simple one-to-one import sync mapping from Active Directory to OID for use by Portal.
In AD there are 40+ OUs with CN=username records, that we would like to have mapped to 40+ Portal groups with CN=username records as unique group members. We want to manage Portal privileges at the Portal group level rather than for each of 3,000+ individual users.
Each OU has it's own AD admin, so there is no way of knowing at what sub-level in the OU, an AD admin might create a CN=username record.
I had thought to manually create 40 new Portal groups, since the OUs seldom change. Now, I need to know how to create/map each of the OU=xxx, CN=username values as a unique member of the correct Portal group. During the sync, if an AD CN=username is added/modified/deleted from an existing OU=xxx, that same add/modify/delete needs to happen in the appropriate Portal group.
If somebody could assist me in "making it so", I would appreciate your time and help.
--Don

If you are already running the AD->OID synchronization, where do your OU's end up? It all depends on the mapping profile you (should have) set up.
Not sure where Portal stores the OID stuff, but you sjould be able to change the profile in such a way it ends up in the correct tree

AD-OID and WNA Question

Two questions:
Is it necessary to configure AD-OID integration to use Windows Native Authentication?
Can I populate OID with my Active Directory users once and still use WNA?
Thanks,
Jim

Update to my original post:
After successfully configuring AD-OID synchronization and WNA on a Win2003 Server (and opening multiple SRs in the process), I learned that it IS possible to bootstrap the users once from AD into OID.
Bootstrapping is required to import the users' krb5principalname and orclsamaccount attributes into OID, which are used by the SSO server to authenticate their kerberos tickets.
Synchronization between AD-OID is not required for WNA to work, but it helps if you expect to add new users from AD into OID.
HTH,
Jim

AD to OID synchronization

Similar Messages

Maybe you are looking for