By Sylvain Duloutre on Oct 22, 2014
Oracle Unified Directory(OUD) can be configured as a proxy to Active Directory (AD).
For instance, it is possible to define a Remote LDAP Extension in OUD pointging to Root Catalog of AD 2008.
Searches to AD would return referrals, so the appropriate OUD Network group can to be modified to follow referrals automatically with the command below:
/dsconfig -h localhost -p 4444 -D “cn=directory manager” -j ~/.pwd -X -n set-network-group-qos-policy-prop –group-name network-group –policy-type referral –set referral-policy:follow
In some cases, a ldapsearch with a basedn which is not local to the root catalog still returns referrals to another AD Server.
OUD reports the following error:
SEARCH operation failed
Result Code: 1 (Operations Error)
Additional Information: Unable to process the operation because a referral leading to an unknown or disabled ldap-server example.com:389 was received
This error is specific to AD because AD builds referrals as follow: ldap://example.com/CN=Configuration,DC=example,DC=com. Example.com does not systematically correspond to a LDAP host declared in the OUD proxy configuration. For security reasons, OUD follows referrals to hosts explicitely declared as LDAP server extensions in the OUD proxy configuration.
To make sure OUD is able to chase referrals, define a new ldap-server-extension with remote-ldap-server-addressproperty set to example.com and remote-ldap-server-port set to 389. In this case, creation of a proxy workflow element is not required for this ldap-server-extension. More on ldap-server extensions at http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/proxy_config.htm#solCREATING-AN-LDAP-SERVER-EXTENSION