3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

Configuring Reconciliation
Configuring Provisioning
Configuring the Connector for Multiple Installations of the Target System
Configuring the Mapping of the User ID Field

Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

Partial Reconciliation
Configuring Trusted Source Reconciliation
Configuring the Reconciliation Scheduled Tasks

Partial Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the CustomizedReconQuery IT resource parameter while performing the procedure described in the "Defining IT Resources" section.

The following table lists the Oracle Internet Directory attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery parameter.

Oracle Internet Directory Attribute	Oracle Identity Manager Attribute
cn	User Id
givenname	First Name
sn	Last Name
mail	Email
middleName	Middle Name
departmentNumber	Department
l	Location
title	Title

The following are sample query conditions:

givenname=John&sn=Doe

With this query condition, records of users whose first name is John and last name is Doe are reconciled.
givenname=John|departmentNumber=23

With this query condition, records of users who meet either of the following conditions are reconciled:
- The user's first name is John.
- The user belongs to the departmentNumber 23.

If you do not specify values for the CustomizedReconQuery parameter, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

The following are guidelines to be followed while specifying a value for the CustomizedReconQuery parameter:

For the Oracle Internet Directory attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.
You must not include unnecessary blank spaces between operators and values in the query condition.

A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

givenname=John&sn=Doe

givenname= John&sn= Doe

In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.
You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

Note:
An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

You specify a value for the CustomizedReconQuery parameter while performing the procedure described in the "Defining IT Resources" section.

Configuring Trusted Source Reconciliation

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then both newly created and modified user accounts are reconciled in Oracle Identity Manager. If you designate the target system as a target resource, then only modified user accounts are reconciled in Oracle Identity Manager.

Note:

You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.

Configuring trusted source reconciliation involves the following steps:

Import the XML file for trusted source reconciliation, oimUser.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

Note:
Only one target system can be designated as a trusted source. If you import the oimUser.xml file while you have another trusted source configured, then both connector reconciliations would stop working.
Set the IsTrusted scheduled task attribute to True. You specify a value for this attribute while configuring the user reconciliation scheduled task, which is described later in this guide.

To import the XML file for trusted source reconciliation:

Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the oimUser.xml file, which is in the OIM_home/xellerate/OID/xml directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

After you import the XML file for trusted source reconciliation, you must set the value of the IsTrusted reconciliation scheduled task attribute to True. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.

Configuring the Reconciliation Scheduled Tasks

When you perform the procedure described in the "Step 5: Importing the Connector XML File" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:

Open the Oracle Identity Manager Design Console .
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.
For the first scheduled task, enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
- To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
  
  If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
- To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.

See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributes
Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
Repeat Steps 5 through 10 to create the second scheduled task.

After you configure both scheduled tasks, proceed to the "Configuring Provisioning" section.

Specifying Values for the Scheduled Task Attributes

This section provides information about the attribute values to be specified for the following scheduled tasks:

Lookup Fields Reconciliation Scheduled Task
User Reconciliation Scheduled Task

Lookup Fields Reconciliation Scheduled Task

You must specify values for the following attributes of the OID Group Lookup Reconciliation Task reconciliation scheduled task.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
`LookupCodeName`	Name of the lookup definition to which the master values are to be reconciled	The value can be any one of the following: For groups lookup reconciliation: `Lookup.OID.UserGroup` For roles lookup reconciliation: `Lookup.OID.UserRole` For organization and organizational unit lookup reconciliation: `Lookup.OID.Organization`
`ITResourceName`	Name of the IT resource for setting up the connection to Oracle Internet Directory	`OID Server`
`SearchContext`	Search context to be used for searching the master values	The following are sample values: `DC=mycompany,DC=com` `cn=Groups,dc=bmphktf120,dc=com` `cn=Roles,dc=bmphktf120,dc=com`
`ObjectClass`	Object class name of the master value for which lookup fields reconciliation is being performed	The value can be any one of the following: For groups lookup reconciliation: `groupOfUniqueNames` For roles lookup reconciliation: `customOrganizationalRole` For organization lookup reconciliation: `Organization` For organizational unit lookup reconciliation: `OrganizationalUnit`
`CodeKeyLTrimStr`	String value for left-trimming the value obtained from the search If there is nothing to be trimmed, then specify the value `[NONE].`	`cn=`
`CodeKeyRTrimStr`	String value for right-trimming the value obtained from the search If there is nothing to be trimmed, then specify the value `[NONE].`	`,DC=mycompany,DC=com`
`ReconMode`	Specify `REFRESH` to completely refresh the existing lookup. Specify `UPDATE` to update the lookup with new values.	`REFRESH` or `UPDATE`

Note:

The CodeKeyLTrimStr and CodeKeyRTrimStr attributes control the value that becomes the code key of the lookup definition. The description of the value is the cn of the master value.

For lookup reconciliation for groups in Oracle Identity Manager:

Perform Steps 1 through 4 of the procedure to configure scheduled tasks. These steps are described earlier in this section.
Select OID Group Lookup Reconciliation Task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
Provide values for the attributes of the scheduled task. For example:
- ObjectClass: groupOfUniqueNames
- LookupCodeName: Lookup.OID.UserGroup
- SearchContext: cn=Groups,dc=bmphktf120,dc=com

For lookup reconciliation for roles in Oracle Identity Manager:

Perform steps 1 through 4 of the procedure to configure scheduled tasks. These steps are described earlier in this section.
Select OID Group Lookup Reconciliation Task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
Provide values for the attributes of the scheduled task. For example:
- ObjectClass: customOrganizationalRole
- LookupCodeName: Lookup.OID.UserRole
- SearchContext: cn=Roles,dc=bmphktf120,dc=com

After you perform the steps required to configure the lookup fields reconciliation scheduled task, proceed to Step 10 of the procedure to create scheduled tasks.

User Reconciliation Scheduled Task

You must specify values for the following attributes of the OID User Recon scheduled task.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
`ITResourceName`	Name of the IT resource for setting up a connection to Oracle Internet Directory	`OID Server`
`ResourceObjectName`	Name of the resource object into which users are to be reconciled	`OID User`
`XLDeleteUsersAllowed`	If this attribute is set to `true,` then the Delete reconciliation event is started when the scheduled task is run. Users who are deleted from the target system are removed from Oracle Identity Manager. This requires all the users on the target system to be compared with all the users in Oracle Identity Manager. Note: This process affects performance.	`true` or `false`
`UserContainer`	DN value from where the users are reconciled from the target system to Oracle Identity Manager	cn=users,dc=hostname,dc=com Here, `users` is the name of the user container and `hostname` is the host name under which the `oracle` context is created.
`Keystore`	Directory path to the Oracle Internet Directory keystore This is required to set up an SSL connection. Specify `[NONE]` for a non-SSL connection.	`C:\j2sdk1.4.2_09\jre\lib\security\cacerts` or `[NONE]`
`IsTrusted`	Specifies whether or not reconciliation is to be performed in trusted mode	`True` or `False`
`Organization`	Default organization of the Xellerate User	`Xellerate Users`
`Xellerate Type`	Default xellerate type for the Xellerate User This is a configurable value.	`End-User Administrator`
`Role`	Default role for the Xellerate User	`Consultant`

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

Configuring Provisioning

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. Refer to the "Supported Functionality" section for a listing of the provisioning functions that are available with this connector.

Compiling Adapters
Enabling Provisioning of Users in Organizations and Organizational Units

Compiling Adapters

Note:

You must perform the procedure described in this section if you want to use the provisioning features of the connector.

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

See Also:

The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector

OID Create User
OID Delete User
OID Modify User
OID Move User
OID Add User to Group
OID Remove User from Group
OID Add User to Role
OID Remove User from Role
OID Prepop String
Update OID Role Details
Update OID Group Details
OID Delete Group
OID Create Group
Chk Process Parent Org
OID Create OU
OID Create Role
OID Delete Role
OID Move OU
OID Change Org Name
OID Delete OU

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select Compile All.

To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

Note:
Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.
Click Start. Oracle Identity Manager compiles the selected adapters.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

Adding Object Classes for Provisioning

The ldapUserObjectClassSecondary field is one of the fields defined in the AttrName.Prov.Map.OID lookup definition.

By default, this field contains a value that you can change to the name of your object class. If required, you can modify the ldapUserObjectClassSecondary field and add a second object class with a vertical bar (|) separating the two object classes. The following is a sample value that can be assigned to the ldapUserObjectClassSecondary field:

objclass1|objClass2

You must ensure that the attributes in the new object class are optional, and not mandatory, attributes.

Note:

You cannot add more than two object classes in the ldapUserObjectClassSecondary field.

Enabling Provisioning of Users in Organizations and Organizational Units

Note:

This section describes an optional procedure. You need not perform this procedure if you do not want to enable provisioning of users in organizations.

In the AttrName.Prov.Map.OID lookup definition, the following are default settings for enabling provisioning of users in organizational units:

ldapOrgDNPrefix=ou
ldapOrgUnitObjectClass=OrganizationalUnit

If you want to enable the provisioning of users in organizations, then change these settings as follows:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about modifying lookup definitions

ldapOrgDNPrefix=o
ldapOrgUnitObjectClass=organization

See Also:

Appendix A for information about attribute mappings between Oracle Identity Manager and Oracle Internet Directory.

Provisioning Organizational Units, Groups, and Roles

To provision an organizational unit:

Log in to the Oracle Identity Manager Administrative and User Console.
Expand Organizations.
Click Create.
Specify a name and the type for the organization that you want to create, and then click Create Organization.
Select Resource Profile from the list.
Click Provision New Resource.
Select the organizational unit option.
Click Continue, and then click Continue again.
From the IT server lookup field, select the resource object corresponding to the required IT resource.
Click Continue, and then click Continue again on the Verification page.

To provision a group or role:

Log in to the Oracle Identity Manager Administrative and User Console.
Expand Organizations.
Click Manage.
Search for the organizational unit under which you want to provision the group or role.
Select Resource Profile from the list.
Click Provision New Resource.
On this page, the option that must select depends on what you want to create:
- Select the group option if you want to create a group.
- Select the role option if you want to create a group.
Click Continue, and then click Continue again on the Verification page.
Enter a name for the group or role.
From the IT server lookup field, select the IT resource.
Click Continue, and then click Continue again on the Verification page.

Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of Oracle Internet Directory.

You may want to configure the connector for multiple installations of Oracle Internet Directory. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Acme Multinational Inc. have their own installations of Oracle Internet Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Oracle Internet Directory.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of Oracle Internet Directory.

To configure the connector for multiple installations of the target system:

See Also:

Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure

Create and configure one resource object for each target system installation.

The Resource Objects form is in the Resource Management folder. The OID User resource object is created when you import the connector XML file. You can use this resource object as the template for creating the remaining resource objects.
Create and configure one IT resource for each resource object.

The IT Resources form is in the Resource Management folder. The OID Server IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.
Design one process form for each resource object.

The Form Designer form is in the Development Tools folder. The following process forms are created when you import the connector XML file:
- UD_OID_USR (main form)
- UD_OID_ROLE (child form for multivalue attributes)
- UD_OID_GRP (child form for multivalue attributes)
You can use these process forms as templates for creating the remaining process forms.
Create and configure one process definition for each resource object.

The Process Definition form is in the Process Management folder. The OID User process definition is created when you import the connector XML file. You can use this process definition as the template for creating the remaining process definitions.

While creating process definitions for each target system installation, the following steps that you must perform are specific to the creation of each process definition:
- From the Object Name lookup field, select the resource object that you create in Step 1.
- From the Table Name lookup field, select the process form that you create in Step 3.
- While mapping the adapter variables for the IT Resource data type, ensure that you select the IT resource that you create in Step 2 from the Qualifier list.
Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that only the values of the following attributes are to be changed for each reconciliation scheduled task:
- ITResourceName
- ResourceObjectName
- IsTrusted
Set the IsTrusted attribute to True for the Oracle Internet Directory installation that you want to designate as a trusted source.
If required, modify the fields to be reconciled for the Xellerate User resource object.

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Oracle Internet Directory installation to which you want to provision the user.

Configuring the Mapping of the User ID Field

Note:

The procedure described in this section is not part of the deployment procedure. You must perform this procedure only if you want to customize the mapping between the user ID fields of Oracle Internet Directory and Oracle Identity Manager.

While creating a user account on Oracle Internet Directory through Oracle Identity Manager, the user ID that you specify is assigned to the cn field of Oracle Internet Directory. If required, you can customize the mapping so that the user ID is assigned to the uid field of Oracle Internet Directory.

See Also:

Oracle Identity Manager Design Console Guide for information about modifying lookup definitions

In the Design Console, open the AttrName.Prov.Map.OID lookup definition.
Change the decode value of the ldapUserDNPrefix code key to uid.
Save the changes.

Now, when you create a user account on Oracle Internet Directory through Oracle Identity Manager, the user ID assigned in Oracle Identity Manager will be assigned to the uid field of Oracle Internet Directory.