Loading LDAP Users

In this scenario, the employeeNumber attribute in the LDAP inetOrgPerson object is the correlation key. This attribute is not listed by default in the schema map for the LDAP adapter, so you must add it manually. For this example, add the attribute EmployeeId to the Identity Manager User Attribute side of the schema map, and employeeNumber to the Resource User Attribute side.

The PeopleSoft adapter uses the Identity Manager attribute name EmployeeId by default. This value was chosen to maintain consistency between LDAP and PeopleSoft, although this is not required.

The e-mail address will be the correlation key for the Remedy resource, but it must be set-up and configured before you load LDAP accounts. The inetOrgPerson object contains the mail attribute, which will be the correlation key for loading Remedy accounts. The mail attribute also must be added to the schema map. Add the email attribute to the Identity Manager User Attribute side of the schema map, and mail to the Resource User Attribute side. email is a predefined Identity Manager attribute, so it is easier to user this attribute, rather than editing the User Extended Attributes or UserUIConfig configuration objects to include a mail attribute.

Identity Manager stores account IDs in the User object in the attribute resourceAccountIds. This is a multi-valued attribute, with each value taking the form accountId@objectId. You can create a rule that will compare the EmployeeId value from LDAP to the PeopleSoft accountId using the following rule:

Comparing EmployeeId value from LDAP to PeopleSoft accountId

<Rule subtype=’SUBTYPE_ACCOUNT_CORRELATION_RULE’ name=’Correlate EmployeeId with accountId’>
   <cond>
      <ref>account.EmployeeId</ref>
      <list>
         <new class=’com.waveset.object.AttributeCondition’>
            <s>resourceAccountIds</s>
            <s>startsWith</s>
            <concat>
               <ref>account.EmployeeId</ref>
               <s>@</s>
            </concat>
         </new>
      </list>
   </cond>
</Rule>

In this scenario, it is not necessary to add attributes to the User Extended Attributes or UserUIConfig configuration objects, because the accountId and email attributes are always available to the system.

To Load LDAP Accounts

1. From the Resources page in the Administrator Interface, select the LDAP resource from the New Resource pull-down menu. Then configure the adapter as follows:

   1. Add the EmployeeId and email Identity Manager User attributes.

   2. Make sure you do not delete the accountId Identity Manager user attribute from the schema map.

   3. Ensure that the identity template is correct.

      See the online help and the Resource Reference for more information about configuring the adapter.

2. Configure the reconciliation policy for the resource as follows.

   1. Set the Correlation Rule to Correlate EmployeeId with accountId.

   2. Set the following situation values:

      Set the UNASSIGNED situation to “Link resource account to Identity Manager user”.

      Set the UNMATCHED situation to an appropriate action. You might need to discuss with the PeopleSoft administrator about the possibility of adding users who are discovered on other resources. If you select the “Create new Identity Manager user based on resource account” option, the Identity Manager user will have, by default, an account name based on the LDAP cn attribute.

3. Reconcile the LDAP resource.