1. ON THE ACTIVE DIRECTORY
==========================1.If you are doing the import sync i.e from Active Directory to OID ,Grant the user account read access privileges to the sub tree root.The user account must be able to read all objects under the source container (sub tree root) in the Active directory that are to be synchronized with theOID.Also provide read access to DELETED Objects in ADTo verify whether a third-party directory user account has the necessary privileges to all objects to be synchronized with OID, use the command-lineldapsearch utility to perform a sub tree search, as follows:
$ORACLE_HOME/bin/ldapsearch -h <ADhost> -p <ADport> -D <bind dn>; -w <password> -b <DN of sub tree> -s sub"objectclass=*"
$ORACLE_HOME/bin/ldapsearch -h ADhost -p 389 -D "cn=Administrator,cn=users,dc=msad,dc=oracle,dc=com" -wwelcome1 -b "cn=users,dc=msad,dc=oracle,dc=com" -s sub "objectclass=*"
Microsoft Active Directory also allows an alternate syntax for credentials.For example:$ORACLE_HOME/bin/ldapsearch -h ADhost -p port -D "Administrator@msad.oracle.com" -w welcome1 -b "cn=users,dc=msad,dc=oracle,dc=com" -s sub"objectclass=*"The return results from the ldapsearch utility should include all objects of interest, including all attributes and values that will be synchronized.If you are doing a export or bi-directional synch, you will need an account with full READ/WRITE privileges on the container which you are synchronizing.11g DIP supported only with below Active Directory servers.1. Active Directory 2003, 2008,2008R12. ADAM - Version 1 with SP1 on Win2k3Click Hereto get Supported LDAP versions with 11g OID.
2. ON THE OID NODE