Oracle® Identity Manager Connector Guide for Oracle Internet Directory Release 9.0.4 Part Number E10165-01 |
|
|
View PDF |
After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
For this connector, you create a filter by specifying values for the CustomizedReconQuery
IT resource parameter while performing the procedure described in the "Defining IT Resources" section.
The following table lists the Oracle Internet Directory attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery
parameter.
Oracle Internet Directory Attribute | Oracle Identity Manager Attribute |
---|---|
cn | User Id |
givenname | First Name |
sn | Last Name |
middleName | Middle Name |
departmentNumber | Department |
l | Location |
title | Title |
The following are sample query conditions:
givenname=John&sn=Doe
With this query condition, records of users whose first name is John and last name is Doe are reconciled.
givenname=John|departmentNumber=23
With this query condition, records of users who meet either of the following conditions are reconciled:
The user's first name is John
.
The user belongs to the departmentNumber 23
.
If you do not specify values for the CustomizedReconQuery
parameter, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.
The following are guidelines to be followed while specifying a value for the CustomizedReconQuery
parameter:
For the Oracle Internet Directory attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.
You must not include unnecessary blank spaces between operators and values in the query condition.
A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:
givenname=John&sn=Doe
givenname= John&sn= Doe
In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.
You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.
Note:
An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).You specify a value for the CustomizedReconQuery
parameter while performing the procedure described in the "Defining IT Resources" section.
While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then both newly created and modified user accounts are reconciled in Oracle Identity Manager. If you designate the target system as a target resource, then only modified user accounts are reconciled in Oracle Identity Manager.
Note:
You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.Configuring trusted source reconciliation involves the following steps:
Import the XML file for trusted source reconciliation, oimUser.xml
, by using the Deployment Manager. This section describes the procedure to import the XML file.
Note:
Only one target system can be designated as a trusted source. If you import theoimUser.xml
file while you have another trusted source configured, then both connector reconciliations would stop working.Set the IsTrusted
scheduled task attribute to True
. You specify a value for this attribute while configuring the user reconciliation scheduled task, which is described later in this guide.
To import the XML file for trusted source reconciliation:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the oimUser.xml
file, which is in the OIM_home
/xellerate/OID/xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
After you import the XML file for trusted source reconciliation, you must set the value of the IsTrusted
reconciliation scheduled task attribute to True
. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.
When you perform the procedure described in the "Step 5: Importing the Connector XML File" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.
For the first scheduled task, enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributesClick Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
Repeat Steps 5 through 10 to create the second scheduled task.
After you configure both scheduled tasks, proceed to the "Configuring Provisioning" section.
This section provides information about the attribute values to be specified for the following scheduled tasks:
You must specify values for the following attributes of the OID Group Lookup Reconciliation Task
reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
Note:
TheCodeKeyLTrimStr
and CodeKeyRTrimStr
attributes control the value that becomes the code key of the lookup definition. The description of the value is the cn
of the master value.For lookup reconciliation for groups in Oracle Identity Manager:
Perform Steps 1 through 4 of the procedure to configure scheduled tasks. These steps are described earlier in this section.
Select OID Group Lookup Reconciliation Task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
Provide values for the attributes of the scheduled task. For example:
ObjectClass:
groupOfUniqueNames
LookupCodeName:
Lookup.OID.UserGroup
SearchContext
: cn=Groups,dc=bmphktf120,dc=com
For lookup reconciliation for roles in Oracle Identity Manager:
Perform steps 1 through 4 of the procedure to configure scheduled tasks. These steps are described earlier in this section.
Select OID Group Lookup Reconciliation Task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
Provide values for the attributes of the scheduled task. For example:
ObjectClass:
customOrganizationalRole
LookupCodeName:
Lookup.OID.UserRole
SearchContext
: cn=Roles,dc=bmphktf120,dc=com
After you perform the steps required to configure the lookup fields reconciliation scheduled task, proceed to Step 10 of the procedure to create scheduled tasks.
You must specify values for the following attributes of the OID User Recon
scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.
As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. Refer to the "Supported Functionality" section for a listing of the provisioning functions that are available with this connector.
Note:
You must perform the procedure described in this section if you want to use the provisioning features of the connector.Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:
See Also:
The "Supported Functionality" section for a listing of the provisioning functions that are available with this connectorOID Create User
OID Delete User
OID Modify User
OID Move User
OID Add User to Group
OID Remove User from Group
OID Add User to Role
OID Remove User from Role
OID Prepop String
Update OID Role Details
Update OID Group Details
OID Delete Group
OID Create Group
Chk Process Parent Org
OID Create OU
OID Create Role
OID Delete Role
OID Move OU
OID Change Org Name
OID Delete OU
You must compile these adapters before they can be used in provisioning operations.
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select Compile All.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.
Note:
Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have anOK
compilation status.Click Start. Oracle Identity Manager compiles the selected adapters.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home
/xellerate/Adapter
directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.
If you want to compile one adapter at a time, then use the Adapter Factory form.
See Also:
Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager formsTo view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.
The ldapUserObjectClassSecondary
field is one of the fields defined in the AttrName.Prov.Map.OID
lookup definition.
By default, this field contains a value that you can change to the name of your object class. If required, you can modify the ldapUserObjectClassSecondary
field and add a second object class with a vertical bar (|) separating the two object classes. The following is a sample value that can be assigned to the ldapUserObjectClassSecondary
field:
objclass1|objClass2
You must ensure that the attributes in the new object class are optional, and not mandatory, attributes.
Note:
You cannot add more than two object classes in theldapUserObjectClassSecondary
field.Note:
This section describes an optional procedure. You need not perform this procedure if you do not want to enable provisioning of users in organizations.In the AttrName.Prov.Map.OID
lookup definition, the following are default settings for enabling provisioning of users in organizational units:
ldapOrgDNPrefix=ou
ldapOrgUnitObjectClass=OrganizationalUnit
If you want to enable the provisioning of users in organizations, then change these settings as follows:
See Also:
Oracle Identity Manager Design Console Guide for detailed information about modifying lookup definitionsldapOrgDNPrefix=o
ldapOrgUnitObjectClass=organization
See Also:
Appendix A for information about attribute mappings between Oracle Identity Manager and Oracle Internet Directory.To provision an organizational unit:
Log in to the Oracle Identity Manager Administrative and User Console.
Expand Organizations.
Click Create.
Specify a name and the type for the organization that you want to create, and then click Create Organization.
Select Resource Profile from the list.
Click Provision New Resource.
Select the organizational unit option.
Click Continue, and then click Continue again.
From the IT server lookup field, select the resource object corresponding to the required IT resource.
Click Continue, and then click Continue again on the Verification page.
To provision a group or role:
Log in to the Oracle Identity Manager Administrative and User Console.
Expand Organizations.
Click Manage.
Search for the organizational unit under which you want to provision the group or role.
Select Resource Profile from the list.
Click Provision New Resource.
On this page, the option that must select depends on what you want to create:
Select the group option if you want to create a group.
Select the role option if you want to create a group.
Click Continue, and then click Continue again on the Verification page.
Enter a name for the group or role.
From the IT server lookup field, select the IT resource.
Click Continue, and then click Continue again on the Verification page.
Note:
Perform this procedure only if you want to configure the connector for multiple installations of Oracle Internet Directory.You may want to configure the connector for multiple installations of Oracle Internet Directory. The following example illustrates this requirement:
The Tokyo, London, and New York offices of Acme Multinational Inc. have their own installations of Oracle Internet Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Oracle Internet Directory.
To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of Oracle Internet Directory.
To configure the connector for multiple installations of the target system:
See Also:
Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedureCreate and configure one resource object for each target system installation.
The Resource Objects form is in the Resource Management folder. The OID User
resource object is created when you import the connector XML file. You can use this resource object as the template for creating the remaining resource objects.
Create and configure one IT resource for each resource object.
The IT Resources form is in the Resource Management folder. The OID Server
IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.
Design one process form for each resource object.
The Form Designer form is in the Development Tools folder. The following process forms are created when you import the connector XML file:
UD_OID_USR
(main form)
UD_OID_ROLE
(child form for multivalue attributes)
UD_OID_GRP
(child form for multivalue attributes)
You can use these process forms as templates for creating the remaining process forms.
Create and configure one process definition for each resource object.
The Process Definition form is in the Process Management folder. The OID User
process definition is created when you import the connector XML file. You can use this process definition as the template for creating the remaining process definitions.
While creating process definitions for each target system installation, the following steps that you must perform are specific to the creation of each process definition:
From the Object Name lookup field, select the resource object that you create in Step 1.
From the Table Name lookup field, select the process form that you create in Step 3.
While mapping the adapter variables for the IT Resource data type, ensure that you select the IT resource that you create in Step 2 from the Qualifier list.
Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that only the values of the following attributes are to be changed for each reconciliation scheduled task:
ITResourceName
ResourceObjectName
IsTrusted
Set the IsTrusted
attribute to True
for the Oracle Internet Directory installation that you want to designate as a trusted source.
If required, modify the fields to be reconciled for the Xellerate User resource object.
When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Oracle Internet Directory installation to which you want to provision the user.
Note:
The procedure described in this section is not part of the deployment procedure. You must perform this procedure only if you want to customize the mapping between the user ID fields of Oracle Internet Directory and Oracle Identity Manager.While creating a user account on Oracle Internet Directory through Oracle Identity Manager, the user ID that you specify is assigned to the cn
field of Oracle Internet Directory. If required, you can customize the mapping so that the user ID is assigned to the uid
field of Oracle Internet Directory.
See Also:
Oracle Identity Manager Design Console Guide for information about modifying lookup definitionsIn the Design Console, open the AttrName.Prov.Map.OID
lookup definition.
Change the decode value of the ldapUserDNPrefix
code key to uid
.
Save the changes.
Now, when you create a user account on Oracle Internet Directory through Oracle Identity Manager, the user ID assigned in Oracle Identity Manager will be assigned to the uid
field of Oracle Internet Directory.