Friday, January 20, 2012

OIM 11g & LDAP Synchronization

Since the first OIM 11g release, one of the frequently asked questions about OIM 11g is:
  • Should I configure OIM with LDAP synchronization or should I deploy a LDAP connector?
Since earlier versions, OIM provides connectors for the most popular LDAP systems: Oracle Internet Directory (OID), Oracle Directory Server EE (formerly Sun Java Directory/iPlanet), Novell eDirectory and Microsoft Active Directory (AD).

With OIM 11g, a new feature called LDAP synchronization was introduced. OIM uses this feature to synchronize its users and roles base to a LDAP system. This synchronization is bidirectional and it uses scheduled jobs/reconciliation engine to pull changes from LDAP and event handlers to push data to LDAP.
But if OIM already provides a connector for most of the industry LDAP servers, why provide a feature like LDAP Synch? Different customer’s business requirements, customer feedbacks and also some technical reasons led Oracle to develop this feature and make it available out-of-the-box in the product.



Going back to the fundamental question of this post: which one should I use? And the answer is, as usual, IT DEPENDS. It really depends upon the project requirements and their alignment with the different approaches functionalities and technical details.

But before you start saying “I do have my requirements, but I still don’t know which one to use”, let’s review the main differences between these two implementation approaches. With some knowledge about the main differences and the project requirements in hands, certainly it will be easier to make a decision.
  • LDAP Synchronization is a mandatory piece for the OIM-OAM integration (in the current 11.1.1.x releases). So if you are planning to integrate these products and make full use of the password lifecycle management features provided by the integration, LDAP Synch is a MUST. 
  • LDAP Synchronization is data oriented approach. Although it is possible to configure attribute mapping, basic synchronization rules and some other minor things, in the end, it is all about data: users and roles being synched behind the scenes from/to the LDAP server. The synchronized LDAP account is NOT in the users’ accounts list in OIM.
  • Connector is a process oriented approach. In this approach, one can make full use of OIM features like request/approvals based provisioning, access policy based provisioning, modification requests. A user will see, among his/her accounts, the LDAP account and he/she can take actions from there.
  • Reporting and auditing will contain information about the LDAP account only if a LDAP connector is implemented.
There are other technical details and functionalities that may be considered, but the topics above are the basics and first ones that you can use to help on the decision.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.