By default, Oracle creates the Directory Information Tree (DIT) in an identical structure during the initial data load (bootstrap) and subsequent data syncrhonization from an external LDAP directory (such as MS Active Directory) to the Oracle LDAP Directory (Oracle Internet Directory). However, several entries failed to get loaded into OID when we tried with this default method. Our bootstrap.log file contained the below errors for the entries that failed to get processed in OID.
LDAP: error code 32 - Parent entry not found in the directory
Error occurred while loading - cn=emp_2,ou=aurora,ou=IL,dc=oid_srv,dc=mycompany,dc=com
DN in Active Directory (AD)
cn=emp_2,ou=aurora,ou=IL,dc=ad_srv,dc=mycompany,dc=com
DN in Oracle Internet Directory (Identical to the DN in AD)
cn=emp_2,ou=aurora,ou=IL,dc=oid_srv,dc=mycompany,dc=com
Solution
This error is at best misleading because the parent entry (ou=aurora) did get created in OID. We could not get a solution for this error and hence altered the design of our DIT on the target OID. We have FLATTENED the DIT. A FLAT DIT does not have any sub tree such as OUs etc. and all the entries are loaded under a single sub tree (FLATTENed). To create a FLAT DIT, the Domain Mapping Rule has to be configured in the AD->OID syncrhonization profile.
DN in Active Directory (AD)
cn=emp_2,ou=aurora,ou=IL,dc=ad_srv,dc=mycompany,dc=com
DN in Oracle Internet Directory (FLATTENED without any OUs)
cn=emp_2,dc=oid_srv,dc=mycompany,dc=com
Conclusion
Oracle supports both regular DITs and flat DITs. If one wants to check the source directory's DN value, one can use use the orclsourceobjectdn attribute returned by the ldapsearch command in OID.Furthermore, a flat DIT is simple in design and easy to search for entries in OID using the oidadmin utility. All the LDAP syncrhonization functions such as ADD, MODIFY and DELETE are supported in a FLAT DIT. We have designed a flat DIT and we are happy with it.
1 comment:
I had the issue with the flattened DIT. Because we tried to use the groups for provisioning and the uniquemember is shown in AD's DN which is missmatched with OID's DN. So we had to give up the flattened DIT mapping. Now I try to work out the one to one mapping. but it is just too much work, becase we are interested in the 50+ groups and user containers out of 1000 groups and user containers.
Thanks.
Sean
Post a Comment