none
what are the tricks and gotchas when using FIM 2010 to manage Oracle [LDAP] Directory server via secure port 636 RRS feed

  • General discussion

  • It may soon come to pass that we will have to use FIM 2010 to manage the excellent LDAP directory ODSEE (Sun Directory Server 7.2).

    Our problem is that the Directory is holding sensitive information and FIM will only be able to access the directory on Port 636. From what I have seen re OpenLDAP things might not be so simple. I dont see ODSEE as so very different from OpenLDAP.

    Is the Sun Netscape MA the one to pick?

    Any oddities? The directory has extended schema with one or two auxillary classes. We expect to be using just the classes

    top

    person

    organizationalperson

    inetorgperson

    OURclass1

    OURclass2

    where the 2 'OUR' classes are the aux classes.

    Is there anything special to watch out for apart from installing the directories public certificates and the CA root cert in the FIM server's certificate store.

    Wednesday, March 13, 2013 1:38 PM

All replies

  • You can use the Sun MA. If it complains, you may need to add the version number of the directory service to the registry to tell FIM it's OK to connect to it. I don't recall needing to do any cert imports for trust but it's been a while.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Wednesday, March 13, 2013 5:02 PM
    Moderator
  • Ok. We shall start off with the Sun/Netscape MA connectiong to the odsee 11g (Sun ds 7.x)

    Have ben looking at that openLdap MA from sourceforge .. I hope the SUN MA is simpler to use. We shall find out when we start using the thing.

    I am surprised if we dont have to load the directory certificates as the FIM Server MA will be just a normal LDAP client. Every LDAP client I have used so far  (ldpasearch ldapmodify JXplorer ldapbrowser) with the secure LDAP port has needed a cert store somewhere and a pointer to it.

    These directories are sensibly hosted on a Solaris 10 machine and from what I gather there may be several directories on the host.

    Point is the certificate presented refers to a directory not to the host. Certificate says its issued to DIR1.MYDOMAIN actual host is MYHOST.MYDOMAIN.  Is it enough to just add two lines to our etc/hosts file on the FIMServer to resolve any naming problems.

    DIR.MYDOMAIN           xxx.xxx.xxx.xxx

    MYHOST.MYDOMAIN   xxx.xxx.xxx.xxx

    Thursday, March 14, 2013 8:43 AM