Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Novell eDirectory either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.
Note:
At some places in this guide, Novell eDirectory has been referred to as the target system.In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.
Note:
It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.This chapter contains the following sections:
Section 1.5, "Lookup Definitions Used During Reconciliation and Provisioning"
Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning"
Section 1.7, "Connector Objects Used During Trusted Source Reconciliation"
Section 1.8, "Roadmap for Deploying and Using the Connector"
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
You can use one of the following releases of Oracle Identity Manager:
|
|
Novell eDirectory 8.7.3 and 8.8 |
|
Target system user account |
Novell eDirectory user account to which the Supervisor right has been assigned You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide. If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations:
|
JDK |
The JDK version can be one of the following:
|
This release of the connector supports the following languages:
Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
For information about supported special characters:For Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Globalization Guide.
For Oracle Identity Manager release 11.1.x, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Figure 1-1 shows the connector integrating Novell eDirectory with Oracle Identity Manager.
Novell eDirectory is configured as a target resource of Oracle Identity Manager. Through provisioning operations performed on Oracle Identity Manager, accounts are created and updated on the target system for OIM Users. Through reconciliation, account data that is created and updated on the target system is fetched into Oracle Identity Manager and stored against the corresponding OIM Users.
During provisioning, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.
During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extracts user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager.
Each record fetched from the target system is compared with Novell eDirectory resources that are already provisioned to OIM Users. If a match is found, then the update made to the record on the target system is copied to the Novell eDirectory resource in Oracle Identity Manager. If no match is found, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision a Novell eDirectory resource to the OIM User.
Section 1.4.1, "Support for Both Target Resource and Trusted Source Reconciliation"
Section 1.4.5, "Support for Reconciliation of Deleted User Records"
Section 1.4.6, "Support for Both Full and Incremental Reconciliation"
Section 1.4.8, "Support for Transformation of Data During Reconciliation"
Section 1.4.9, "Support for Reconciliation and Provisioning of Home Directories"
Section 1.4.10, "Support for High-Availability Configuration of the Target System"
You can use the connector to configure Novell eDirectory as either a target resource or trusted source of Oracle Identity Manager.
See Section 3.3, "Configuring Reconciliation" for more information.
You can set a reconciliation filter as the value of the SearchFilter attribute of the scheduled tasks. This filter specifies the subset of newly added and modified target system records that must be reconciled.
See Section 3.3.2, "Limited Reconciliation" for more information.
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Section 3.3.3, "Batched Reconciliation" for more information.
Paged reconciliation is the reconciliation of a specified set of target system records at a time, within a reconciliation run. Multiple pages of records are fetched to complete the reconciliation run. This feature helps reduce memory issues that might arise when there are a large number of records to be reconciled.
Note:
Only Novell eDirectory 8.8 and later versions support paged reconciliation.Paged reconciliation is implemented using the PageSize entry in the Lookup.EDIR.Configuration lookup definition.
See Section 2.3.7.1, "Setting Up the Lookup.EDIR.Configuration Lookup Definition" for information about this lookup definition.
You can configure scheduled tasks for reconciliation of deleted user records. In target resource mode, if a record is deleted on the target system, then the corresponding Novell eDirectory resource is revoked from the OIM User. In trusted source mode, if a record is deleted on the target system, then the corresponding OIM User is deleted.
The scheduled tasks for reconciliation of deleted user records are described in Section 3.3.4, "Reconciliation Scheduled Tasks."
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled from the next run of the user reconciliation.
You can perform a full reconciliation run at any time.
See Section 3.3.1, "Full Reconciliation vs. Incremental Reconciliation" for more information.
If you want to add to the standard set of single-valued and multivalued attributes for reconciliation and provisioning, then perform the procedures described in Chapter 4, "Extending the Functionality of the Connector".
You can configure transformation of data during reconciliation. For example, you can automate the look up of the field name from an external system and set the value based on the field name.
See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information.
From this release onward, the connector supports reconciliation and provisioning of Home directories for users. The procedure to enable and use this feature is optional. This feature makes use of the transformation feature.
See Section 4.9, "Linking the Home Directory Provisioning Operation with the Create User Provisioning Operation" for more information.
The connector can be configured to work with high-availability target system environments. If the primary installation becomes unavailable, then the connector reads information about backup target system installations from the Lookup.EDIR.BackupServers lookup definition and uses this information to switch to a backup target system installation. The timeout interval stored in the LDAPConnectTimeOut entry of the Lookup.EDIR.Configuration lookup definition is used to determine when to switch to the backup target system installation.
See Section 2.3.9, "Configuring High Availability of the Target System" for more information.
Lookup definitions used during connector operations can be divided into the following categories:
The following lookup definitions are populated with values fetched from the target system by the scheduled tasks for lookup field synchronization:
See Also:
Section 3.2, "Lookup Field Synchronization" for information about these scheduled tasksFor organizations and organization units: Lookup.EDIR.Organization
For groups: Lookup.EDIR.UserGroup
For roles: Lookup.EDIR.AssignedRole
For domain scopes: Lookup.EDIR.DomainScope
For profiles: Lookup.EDIR.Profile
Table 1-2 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
Table 1-2 Other Lookup Definitions
Lookup Definition | Description of Values | Method to Specify Values for the Lookup Definition |
---|---|---|
Lookup.EDIR.Configuration |
This lookup definition holds connector configuration entries that are used during reconciliation and provisioning. |
Some of the entries in this lookup definition are preconfigured. See Section 2.3.7.1, "Setting Up the Lookup.EDIR.Configuration Lookup Definition" for information about the entries for which you can set values. |
Lookup.EDIR.Constants |
This lookup definition stores values that are used internally by the connector. The connector development team can use this lookup definition to make minor configuration changes in the connector. |
You must not modify the entries in this lookup definition. |
Lookup.EDIR.Transformation |
This lookup definition is used to configure transformation of attribute values fetched from the target system during reconciliation. |
It is optional to enter values in this lookup definition. Section 4.10, "Configuring Transformation of Data During Reconciliation" provides information about this lookup definition. |
AttrName.Recon.Map.EDIR |
This lookup definition holds mappings between the eDirectory User resource object fields and target system attributes. |
This lookup definition is preconfigured. Table 1-3 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for user reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
AttrName.Prov.Map.EDIR |
This lookup definition holds mappings between eDirectory User process form fields and target system attributes. |
This lookup definition is preconfigured. Table 1-3 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for user provisioning. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
AttrName.ReconGroup.Map.EDIR |
This lookup definition holds mappings between eDirectory Group resource object fields and target system attributes. |
This lookup definition is preconfigured. Table 1-6 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for group reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
AttrName.ProvGroup.EDIR.Map |
This lookup definition holds mappings between eDirectory Group process form fields and target system attributes. |
This lookup definition is preconfigured. Table 1-6 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for group provisioning. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
AttrName.ReconRole.Map.EDIR |
This lookup definition holds mappings between eDirectory Role resource object fields and target system attributes. |
This lookup definition is preconfigured. Table 1-7 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for role reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
AttrName.ProvRole.EDIR.Map |
This lookup definition holds mappings between eDirectory Role process form fields and target system attributes. |
This lookup definition is preconfigured. Table 1-7 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for group provisioning. Chapter 4, "Extending the Functionality of the Connector" provides more information. |
Lookup.EDIR.BackupServers |
This lookup definition holds mappings between primary Novell eDirectory servers and secondary Novell eDirectory servers. |
It is optional to enter values in this lookup definition. Section 2.3.9, "Configuring High Availability of the Target System" provides information about this lookup definition |
Lookup.EDIR.Volume |
This lookup definition holds the names of volume objects created on the target system. Home directories that you provision are created on these volume objects. |
You enter the names of the volume objects in this lookup definition. Section 2.3.7, "Setting Up Lookup Definitions in Oracle Identity Manager" provides more information. |
Lookup.EDIR.NetworkRestriction |
During a provisioning operation, you use this lookup definition to specify the IP addresses of the workstations from which the user can log in. If you do not specify an IP address, then the user can log in from any workstation. |
Section 2.3.7, "Setting Up Lookup Definitions in Oracle Identity Manager" provides information about creating entries in this lookup definition. |
Lookup.EDIR.CommLang |
During a provisioning operation, you use this lookup definition to specify a language for the user. |
Section 2.3.7, "Setting Up Lookup Definitions in Oracle Identity Manager" provides information about creating entries in this lookup definition. |
Lookup.EDIR.TrusteeProperty |
During a provisioning operation, you use this lookup definition to specify trustee rights on the property for the user. |
Section 2.3.7, "Setting Up Lookup Definitions in Oracle Identity Manager" provides information about creating entries in this lookup definition. |
The following sections provide information about connector objects used during target resource reconciliation and provisioning:
See Also:
The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about reconciliationSection 1.6.1, "User Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.2, "Group Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.3, "Role Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.4, "Reconciliation Rule for Target Resource Reconciliation"
Section 1.6.5, "Reconciliation Action Rules for Target Resource Reconciliation"
Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.
Note:
When a user is assigned a role, the equivalentToMe, securityEquals, and rBSAssignedRoles attributes are added to the user object.Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Novell eDirectory Attribute | Description |
---|---|---|
Guid |
GUID |
GUID Note: This is a hidden field. |
User ID |
cn |
User ID |
First Name |
givenname |
First name |
Last Name |
sn |
Last name |
Middle Name |
initials |
Middle name |
Department |
departmentNumber |
Department |
Location |
l |
Location |
Telephone |
telephoneNumber |
Telephone |
|
|
|
Communication Language |
preferredLanguage |
Communication language |
Timezone |
timezone |
Timezone |
Logon Script |
loginScript |
Logon script |
Title |
title |
Title |
Profile |
profile |
Profile |
Container DN |
NA |
Container in which the user is present on the target system For example: |
Security Group (multiple group names can be entered) |
GroupMembership |
List of groups of which the user is a member |
Network Address |
networkAddressRestriction |
Network address |
Volume Name |
NA |
Name of the volume object in Novell Netware |
Home Directory Name |
NA |
Name of the user's Home directory |
Table 1-4 lists the role attributes of the user record for target resource reconciliation and provisioning.
Note:
When a role is assigned to a user, the equivalentToMe and rBSTrusteeOf attributes are added to the role object.Table 1-4 Role (Child Form) Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Novell eDirectory Role Attribute | Description |
---|---|---|
Role Name |
rBSMember |
Role name |
Scope |
Scope |
Scope |
Inheritance |
Inheritable |
Inheritance |
Table 1-5 lists the trustee rights attributes of the user record for target resource reconciliation and provisioning.
Table 1-5 Trustee Rights (Child Form) Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Novell eDirectory Trustee Rights Attribute | Description |
---|---|---|
Property |
Property |
Property |
Supervisor |
Supervisor |
Supervisor |
Read |
Read |
Read permission |
Write |
Write |
Write permission |
Compare |
Compare |
Compare permission |
Add Self |
Add Self |
Add Self permission |
Note:
If you are using Oracle Identity Manager release 11.1.x, then you cannot reconcile data from group attributes of the target system. This is tracked by Bug 9799541 in Chapter 6, "Known Issues."Table 1-6 provides information about group attribute mappings for target resource reconciliation and provisioning.
Note:
If you are using Oracle Identity Manager release 11.1.x, then you cannot reconcile data from role attributes of the target system. This is tracked by Bug 9799541 in Chapter 6, "Known Issues."Table 1-7 provides information about role attribute mappings for target resource reconciliation and provisioning.
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rulesThe following is the process matching rule:
Rule name: eDir Recon User
Rule element: (GUID Equals GUID) OR (User Login Equals User ID)
In the first rule component:
GUID to the left of "Equals" is the GUID of the resource assigned to the OIM User.
GUID to the right of "Equals" is the GUID of the resource on the target system.
In the second rule component:
User Login is one of the following:
For Oracle Identity Manager Release 9.0.1 through 9.0.3.2:
User ID field on the Xellerate User form.
For Oracle Identity Manager release 9.1.0.x or release 11.1.x:
User ID field on the OIM User form.
User ID is the cn field on the target system.
This rule supports the following scenarios:
You can provision multiple Novell eDirectory resources to the same OIM User, either on Oracle Identity Manager or directly on the target system.
You can change the user ID of a user on the target system.
This is illustrated by the following use cases:
Use case 1: You provision a Novell eDirectory account for an OIM User, and you also create an account for the user directly on the target system.
When the first rule condition is applied, no match is found. Then, the second rule condition is applied and it is determined that a second account has been given to the user on the target system. The second account is linked with the OIM User at the end of the reconciliation run.
Use case 2: An OIM User has a Novell eDirectory account. You then change the user ID of the user on the target system.
During the next reconciliation run, application of the first rule condition helps match the resource with the record.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for eDir Recon User. Figure 1-2 shows the reconciliation rule for target resource reconciliation.
Figure 1-2 Reconciliation Rule for Target Resource Reconciliation
Table 1-8 lists the action rules for target resource reconciliation.
Table 1-8 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the eDirectory User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.
Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation
Table 1-9 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.
Table 1-9 Provisioning Functions
Function | Adapter |
---|---|
Create a user |
EDIR Create User |
Delete a user |
EDIR Delete User |
Enable a user |
EDIR Modify User |
Disable a user |
EDIR Modify User |
Move a user from one container to another in Novell eDirectory Note: The Move User provisioning operation is not supported when the Novell eDirectory and Novell GroupWise resources are provisioned to an OIM User. This is because the association between the Novell GroupWise mailbox and Novell eDirectory object is lost after the Move User provisioning operation. |
EDIR Move User |
Update user password |
EDIR Modify User |
Add user to a group |
EDIR Add user to Group |
Remove User from Group |
EDIR Remove user from Group |
Assign a role to a user |
EDIR Add Assigned Role to User |
Remove assigned role from user |
EDIR Remove Assigned Role from User |
Assign trustee right to a user |
EDIR Add Trustee Right to User |
Remove trustee right from a user |
EDIR Remove Trustee Right from User |
Add network address restriction to user |
EDIR Add Network Restriction |
Remove network address restriction from user |
EDIR Remove Network Restriction |
Create OU |
EDIR Create OU |
Change OU name |
EDIR Change Org Name |
Delete OU |
EDIR Delete OU |
Move an organization sub unit to another parent organizational unit |
EDIR Move OU |
Create eDirectory group |
EDIR Create Group |
Delete eDirectory group |
EDIR Delete Group |
Update group name |
Update eDirectory Group Details |
Create eDirectory role |
EDIR Create Role |
Delete eDirectory role |
EDIR Delete Role |
Update role name |
Update eDirectory Role Details |
Create Home directory |
EDIR Create Home Directory |
The following sections provide information about connector objects used during trusted source reconciliation:
Section 1.7.1, "User Attributes for Trusted Source Reconciliation"
Section 1.7.2, "Reconciliation Rule for Trusted Source Reconciliation"
Section 1.7.3, "Reconciliation Action Rules for Trusted Source Reconciliation"
Table 1-10 lists user attributes for trusted source reconciliation.
Table 1-10 User Attributes for Trusted Source Reconciliation
OIM User Form Field | Novell eDirectory Attribute | Description |
---|---|---|
User ID |
cn |
Common name |
First Name |
givenname |
Given name |
Last Name |
sn |
Last name |
Employee Type |
NA |
Default value: |
User Type |
NA |
Default value: |
Organization |
NA |
Default value: |
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rulesThe following is the process matching rule:
Rule name: eDir Trusted Recon Rule
Rule element: User Login Equals User ID
In this rule element:
User Login is one of the following:
For Oracle Identity Manager Release 9.0.1 through 9.0.3.2:
User ID field on the Xellerate User form.
For Oracle Identity Manager release 9.1.0.x or release 11.1.x:
User ID field on the OIM User form.
User ID is the cn field of Novell eDirectory.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for eDir Trusted Recon Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.
Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation
Table 1-11 lists the action rules for trusted source reconciliation.
Table 1-11 Action Rules for Trusted Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Xellerate User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.
Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation
The following is the organization of information in the rest of this guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure to use the connector testing utility for testing the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.