One small checkbox during installation, one large impact on implementation: LDAP Sync in OIM
For those of us that have run the Oracle Identity Manager config, you have probably noticed a small checkbox on the OIM Server screen called “Enable LDAP Sync” and asked yourself: Hmmm, I wonder what that does?
So, you dig deep into the Oracle docs to try and find out but really, save yourself the time, the docs just tell you what needs to be inplace so that you can check the box, and they also tell you how to enable and disable LDAP Sync manually (if need be). They don’t answer the fundamental question: Why would you want to enable LDAP Sync anyways?
After a bunch of reading, the best I can tell is that you must enable LDAP Sync if you are integrating OIM and OAM together. There are some minor comments that also suggest that LDAP Sync plays a role in password synchronization, but I can do password synchronization with the LDAP Connector as well, and those references to password synchronization don’t seem to actually backup that claim with additional material on the subject.
So, if the only reason to do LDAP Synchronization is for OAM integration, why didn’t Oracle just leverage the functionality of the OAM Identity Asserter and Directory Authenticator at the WebLogic layer? From there, OIM would have access to the UserID, group and role information? Why write another software component that replicates functionality of both the LDAP Connector, and existing OAM components that plug into WLS?
I wouldn’t be questioning this approach, except that when you enable the LDAP Sync, it syncs the user profile, groups and roles but not Organizations! And Organizations are the foundation of the security model in OIM. Another downside to the LDAP Sync is that it doesn’t apply any workflows for provisioning or deprovisioning, nor are the those actions auditable. So, for customers that would like to enable a workflow of having external users self-register and for the account to not actually be created until approved, you must use the LDAP Connector, not LDAP Sync for that functionality. So the customer would now need to use both LDAP Sync and the LDAP Connector. Which raises a question about contention, or at least creating a process of reconciling accounts not created using the LDAP Sync component.
What I would like to see is for Oracle to support a form of OIM and OAM integration that is not dependant upon LDAP Sync, the major pieces appear to be there – it is likely just a matter of testing and documenting the procedure and making some minor changes to the authentication logic in OIM. Then we could use the rich features of the LDAP Connector and leave the LDAP Sync functionality as a historical footnote.