4 Extending the Functionality of the Connector

The following sections describe procedures that you can perform to extend the functionality of the connector for addressing your specific business requirements:

• Section 4.1, "Adding New Attributes for Target Resource Reconciliation"

• Section 4.2, "Adding New Multivalued Attributes for Target Resource Reconciliation"

• Section 4.3, "Adding New Attributes for Group Reconciliation"

• Section 4.4, "Adding New Attributes for Role Reconciliation"

• Section 4.5, "Adding New Attributes for Trusted Source Reconciliation"

• Section 4.6, "Adding New Attributes for Provisioning"

• Section 4.7, "Adding New Multivalued Attributes for Provisioning"

• Section 4.8, "Adding New Attributes for Provisioning of Group"

• Section 4.9, "Adding New Attributes for Provisioning of Role"

• Section 4.10, "Adding New Object Classes for Reconciliation and Provisioning"

• Section 4.11, "Configuring the Connector for Multiple Installations of the Target System"

4.1 Adding New Attributes for Target Resource Reconciliation

By default, the attributes listed in Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning" are mapped for reconciliation between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for reconciliation.

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Managerfor detailed instructions on performing the following procedure

To add a custom attribute for reconciliation:

1. While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class with which you want to perform reconciliation.

   4. Search for the attribute that you want to add and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_USR form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

      For example, if you want to add the Car License attribute, then enter the following values on the Additional Columns tab:

      Field	Value
      Name	CARLICENSE
      Variant Type	String
      Length	100
      Field Label	Car License
      Order	16

      
      
      
      

   5. Save and close the form.

5. In the lookup definition for reconciliation, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the AttrName.Recon.Map.iPlanet lookup definition.

   3. In the lookup definition, create an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

      For example, enter Car License in the Code Key column and then enter carLicense in the Decode column.

      
      

   4. Save and close the lookup definition.

   5. Search for and open the Lookup.iPlanet.Configuration lookup definition.

   6. In the lookup definition, add the custom object class (containing the attribute) to the existing value of the ldapUserObjectClass attribute. For example, if the new attribute is in the accountdetails object class, then the value of the ldapUserObjectClass attribute must be set to:

      <inetorgperson|accountdetails>
      

      In general, the format of the ldapUserObjectClass attribute value must be as follows:

      <inetorgperson|customObjectClass1|customObjectClass2| . . . customObjectClassn>
      

6. In the resource object, add a reconciliation field for the attribute as follows:

   1. Open the Resource Objects form.

   2. Search for the iPlanet User process.

   3. On the Reconciliation Fields subtab of the Object Reconciliation tab, create an entry for the attribute.

      For example, if you want to add the car license attribute, then specify the following values:

      Field Name: Car License

      Field Type: String

      
      

   4. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

   5. Click the Save icon.

7. In the process definition, create a reconciliation field mapping for the attribute as follows:

   1. Open the Process Definition form.

   2. Search for the iPlanet User process.

   3. On the Reconciliation Field Mappings tab, create a reconciliation field mapping for the attribute.

   For example, if you want to add the car license attribute, then specify the following values:

   Field Name: Car License

   Field Type: String

   Process Data Field: UD_IPNT_USR_CARLICENCSE

   
   

4.2 Adding New Multivalued Attributes for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the multivalued attributes Role and Group are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new multivalued attributes for target resource reconciliation.

To add a new multivalued attribute for target resource reconciliation:

1. Log in to the Oracle Identity Manager Design Console.

2. Create a form for the multivalued attribute as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Create a form by specifying a table name and description, and then click Save.

   4. Click Add and enter the details of the attribute.

   5. Click Save and then click Make Version Active.

      The following screenshot shows a sample form:

      
      

3. Add the form created for the multivalued attribute as a child form of the process form as follows:

   1. Search for and open the UD_IPNT_USR process form.

   2. Click Create New Version.

   3. Click the Child Table(s) tab.

   4. Click Assign.

   5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.

      
      

   6. Click Save and then click Make Version Active.

4. Add the new attribute to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the IPlanet User resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. In the Add Reconciliation Fields dialog box, enter the details of the attribute.

      For example, enter Postal Address in the Field Name field and select Multi-Valued Attribute from the Field Type list.

      
      

   6. Click Save and then close the dialog box.

   7. Right-click the newly created attribute.

   8. Select Define Property Fields.

   9. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.

      For example, enter Postal Address in the Field Name field and select String from the Field Type list.

   10. Click Save, and then close the dialog box.

   11. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

5. Create a reconciliation field mapping for the new attribute as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the iPlanet User process definition.

   4. On the Reconciliation Field Mappings tab of the iPlanet User process definition, click Add Table Map.

   5. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.

      
      

   6. Right-click the newly created field, and select Define Property Field Map.

   7. In the Field Name field, select the value for the field that you want to add.

   8. Double-click the Process Data Field field, and then select UD_ADDRESS.

   9. Select Key Field for Reconciliation Field Matching and click Save.

6. Create an entry for the attribute in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the Lookup.iPlanet.Configuration lookup definition.

   4. In the Decode column for the ldapMultiValAttr Code Key, enter the field name and code key separated by a semicolon. Field Name and Code Key pairs are separated by vertical bars.

      For example, if Postal Address is the attribute name, then append the following to the entry in the Decode column of the ldapMultiValAttr Code Key:

      |Postal Address;Postal Address
      

      As shown in this example, the vertical bar is used to separate field name and Code Key pairs and a comma is used to separate the Field Name and Code Key.

      
      

   5. Search for and open the AttrName.Recon.Map.iPlanet lookup definition.

   6. Click Add, enter the Code Key and Decode values for the attribute, and then click Save. The Code Key value must be the name of the attribute on the process form. The Decode value must be the name of the attribute on the target system.

      For example, enter PostalAddress in the Code Key column and then enter postaladdress in the Decode field.

4.3 Adding New Attributes for Group Reconciliation

By default, the attributes listed in Section 1.6.2, "Group Attributes for Target Resource Reconciliation and Provisioning" are mapped for reconciliation between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for reconciliation.

See Also:

Oracle Identity Manager Design Console for detailed instructions on performing the following procedure

To add a custom attribute for reconciliation:

1. While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class with which you want to perform reconciliation.

   4. Search for the attribute that you want to add and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_GR form for Group Recon.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

      For example, if you want to add the Owner attribute, then enter the following values on the Additional Columns tab:

      Field	Value
      Name	OWNER
      Variant Type	String
      Length	100
      Field Label	Owner
      Order	5

      
      
      
      

   5. Save and close the form.

5. In the lookup definition for reconciliation, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the Lookup.iPlanetGroupReconciliation.FieldMap lookup definition for Group Recon.

   3. In the lookup definition, create an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

      For example, enter owner in the Code Key column and then enter owner in the Decode column.

      
      

6. In the resource object, add a reconciliation field for the attribute as follows:

   1. Open the Resource Objects form.

   2. Search for the iPlanet Group process.

   3. On the Reconciliation Fields subtab of the Object Reconciliation tab, create an entry for the attribute.

      For example, if you want to add the Owner attribute, then specify the following values:

      Field Name: Owner

      Field Type: String

      
      

   4. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

7. In the process definition, create a reconciliation field mapping for the attribute as follows:

   1. Open the Process Definition form.

   2. Search for the iPlanet Group process.

   3. On the Reconciliation Field Mappings tab, create a reconciliation field mapping for the attribute.

      For example, if you want to add the owner attribute, then specify the following values:

      Field Name: Owner

      Field Type: String

      Process Data Field: UD_IPNT_GR_OWNER

      
      

4.4 Adding New Attributes for Role Reconciliation

By default, the attributes listed in Section 1.6.3, "Role Attributes for Target Resource Reconciliation and Provisioning" are mapped for reconciliation between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for reconciliation.

See Also:

Oracle Identity Manager Design Console for detailed instructions on performing the following procedure

To add a custom attribute for reconciliation:

1. While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class with which you want to perform reconciliation.

   4. Search for the attribute that you want to add and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_RL form for Role Recon.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

      For example, if you want to add the Naming Contexts attribute, then enter the following values on the Additional Columns tab:

      Field	Value
      Name	NAMINGCONTEXTS
      Variant Type	String
      Length	100
      Field Label	Naming Contexts
      Order	5

      
      
      
      

   5. Save and close the form.

5. In the lookup definition for reconciliation, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the Lookup.iPlanetRoleReconciliation.FieldMap lookup definition for Role Recon.

   3. In the lookup definition, create an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

      For example, enter Naming Contexts in the Code Key column and then enter namingcontexts in the Decode column.

      
      

6. In the resource object, add a reconciliation field for the attribute as follows:

   1. Open the Resource Objects form.

   2. Search for the iPlanet Role process.

   3. On the Reconciliation Fields subtab of the Object Reconciliation tab, create an entry for the attribute.

      For example, if you want to add the Naming Contexts attribute, then specify the following values:

      Field Name: Naming Contexts

      Field Type: String

      
      

   4. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

7. In the process definition, create a reconciliation field mapping for the attribute as follows:

   1. Open the Process Definition form.

   2. Search for the iPlanet Role process.

   3. On the Reconciliation Field Mappings tab, create a reconciliation field mapping for the attribute.

      For example, if you want to add the Naming Contexts attribute, then specify the following values:

      Field Name: Naming Contexts

      Field Type: String

      Process Data Field: UD_IPNT_RL_NAMINGCONTEXTS

      
      

4.5 Adding New Attributes for Trusted Source Reconciliation

Note:

• You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

• If you want to add a multivalued attribute for target resource reconciliation, then see Section 4.2, "Adding New Multivalued Attributes for Target Resource Reconciliation."

By default, the attributes listed in Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning" are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for trusted resource reconciliation.

To add a new attribute for trusted source reconciliation:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. Add the new attribute on the OIM User process form as follows:

   1. Expand Administration.

   2. Double-click User Defined Field Definition.

   3. Search for and open the Users form.

   4. Click Add.

   5. Enter the details of the attribute.

      For example, if you are adding the Title attribute, then enter Title in the Label field, set the data type to String, set the Field Type to Text Field, enter USR_UDF_TITLE as the column name, and enter a value in the Field Size box.

      
      

   6. Click Save.

3. Add the new attribute to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the Xellerate User resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. Enter the details of the attribute.

      For example, enter Title in the Field Name field and select String from the Field Type list.

      
      

      Later in this procedure, you will enter the attribute name as the Decode value of the entry that you create in the lookup definition for reconciliation.

   6. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

   7. Click Save.

4. Create a reconciliation field mapping for the new attribute in the process definition as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the Xellerate User process definition.

   4. On the Reconciliation Field Mappings tab, click Add Field Map.

   5. In the Field Name field, select the value for the user attribute that you want to add.

      For example, from the Field Name list select Title, and from the User Attribute list select Title.

      
      

   6. Click Save.

5. Create an entry for the attribute in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the AttrName.Recon.Map.iPlanet lookup definition.

   4. Click Add and enter the Code Key and Decode values for the attribute. The Code Key value must be the name of the attribute on the target system, which you determined at the start of this procedure. The Decode value is the name that you provide for the reconciliation field in Step 3.e.

      For example, enter Title in the Code Key field and then enter title in the Decode field.

      
      

   5. Click Save.

   6. Select Field Type, and then click Save.

4.6 Adding New Attributes for Provisioning

By default, the attributes listed in Section 1.6.6, "Provisioning Functions" of the connector guide are mapped for provisioning between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for provisioning.

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed instructions on performing the following procedure

To add a new attribute for provisioning:

1. While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations," you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context in which created the user account for connector operations.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class on which you want to perform provisioning operations.

   4. Search for the attribute that you want to add, and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_USR form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

   5. Save and close the form.

5. In the lookup definition for provisioning, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the Attrname.Prov.Map.iPlanet lookup definition.

   3. In the lookup definition, add an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

   4. In the Lookup.iPlanet.Configuration lookup definition, add the custom object class (containing the attribute) to the existing value of the ldapUserObjectClass attribute. For example, if the new attribute is in the accountdetails object class, then the value of the ldapUserObjectClass attribute must be set to:

      <inetorgperson|accountdetails>
      

      In general, the format of the ldapUserObjectClass attribute value must be as follows:

      <inetorgperson|customObjectClass1|customObjectClass2| . . . customObjectClassn>
      

   Note:

   Perform steps 6 through 8 only if you want to perform request-based provisioning.

6. Update the request dataset.

   When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

   1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.

   2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

      See Also:

      The "Configuring Requests" chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager guide for more information about creating and updating request datasets

      For example, while performing Step 4 of this procedure, if you added Employee ID as an attribute on the process form, then enter the following line:

      <AttributeReference
      name = "Employee ID"
      attr-ref = "Employee ID"
      type = "String"
      widget = "text"
      length = "50"
      available-in-bulk = "false"/>
      

      In this AttributeReference element:

      • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

        For example, if UD_IPNT_USR_EMP_ID is the value in the Name column of the process form, then you must specify Employee ID as the value of the name attribute in the AttributeReference element.

      • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Step 4.

      • For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Step 4.

      • For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Step 4.

      • For the length attribute, enter the value that you entered in the Length column of the process form while performing Step 4.

      • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

      While performing Step 4, if you added more than one attribute on the process form, then repeat this step for each attribute added.

   3. Save and close the XML file.

7. Run the PurgeCache utility to clear content related to request datasets from the server cache.

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

8. Import into MDS the request dataset definitions in XML format.

   See Section 2.3.1.7.3, "Importing Request Datasets into MDS" for detailed information about the procedure.

9. To test whether or not you can use the newly added attribute for provisioning, log in to the Oracle Identity Manager Administrative and User Console and perform a provisioning operation in which you specify a value for the newly added attribute.

Enabling Update of New Multivalued Attributes for Provisioning

After you add a multivalued attribute for provisioning, you must enable update operations on the attribute. If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.

To enable the update of a new multivalued attribute for provisioning:

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management.

3. Double-click Process Definition and open the iPlanet User process definition.

4. In the process definition, add a task for setting a value for the attribute:

   1. Click Add, enter the name of the task for adding multivalued attributes, and enter the task description.

   2. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

      • Select the child table from the list.

        For the example described earlier, select Postal Address from the list.

      • From Trigger Type list, select Insert for adding multivalued data. Alternatively, select Delete as the trigger type for removing multivalue data.

        
        

   3. On the Integration tab, click Add, and then click Adapter.

   4. Select the adpIPLANETADDMULTIVALUEATTRIBUTE adapter, click Save, and then click OK in the message.

   5. To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

      Note:

      Some of the values in this table are specific to the Mailing Address/Postal Address example. These values must be replaced with values relevant to the multivalued attributes that you require.

      Variable Name	Data Type	Map To	Qualifier	IT Asset Type	IT Asset Property
      Adapter return value	Object	Response Code	NA	NA	NA
      AdminID	String	IT Resources	Server	LDAP Server	Admin Id
      AdminPwd	String	IT Resources	Server	LDAP Server	Admin Password
      processIntKey	String	Process Data	Process Instance	NA	NA
      rootContext	String	IT Resources	Server	LDAP Server	Root DN
      SSLFlag	String	IT Resources	Server	LDAP Server	SSL
      PropertyName	String	Literal	String	homepostaladdress Note: This is a sample value.	NA
      AttrLookupCode	String	IT Resources	Server	LDAP Server	For User: Prov Attribute Lookup Code For Group: AtMap.iPlanetGroup For Role: AttrMap.iPlanetRole
      LDAPServer	String	IT Resources	Server	LDAP Server	Server Address
      Port	String	IT Resources	Server	LDAP Server	Port
      PropertyValue	String	Process Data and postal address	Postal address Note: This is a sample value.	NA	NA
      nsuniqueid	String	Process Data	nsuniqueid	NA	NA

      
      

   6. Click the Save icon and then close the dialog box.

      
      

5. In the process definition, add a task for removing the value of the attribute by performing Step 4. While performing Step 4.d, select the adpIPLANETREMOVEMULTIVALUEATTRIBUTE adapter.

4.7 Adding New Multivalued Attributes for Provisioning

To add new multivalued attributes for provisioning:

1. Create a child form for the multivalued attribute by performing Steps 1 through 3 as described in the Section 4.2, "Adding New Multivalued Attributes for Target Resource Reconciliation."

2. Perform the steps described in the Section 4.6, "Enabling Update of New Multivalued Attributes for Provisioning." While performing Step 4.e:

   • While mapping the PropertyValue variable, select the Old value check box.

   • Map the following additional variables:

   Variable Name	Data Type	Map To	Qualifier	IT Asset Type	IT Asset Property
   ITResourceUDF	String	Literal	String	UD_IPNT_USR_SERVER	NA
   ProcessInstKey	String	Process Data	Process Instance	NA	NA

   
   

4.8 Adding New Attributes for Provisioning of Group

By default, the attributes listed in Section 1.6.6, "Provisioning Functions" of the connector guide are mapped for provisioning between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

1. While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations," you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context in which created the user account for connector operations.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class on which you want to perform provisioning operations.

   4. Search for the attribute that you want to add, and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_GR form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

      For example, if you want to add the Owner attribute, then enter the following values on the Additional Columns tab:

      Field	Value
      Name	Owner
      Variant Type	String
      Length	100
      Field Label	Owner
      Order	5

      
      
      
      

   5. Save the form.

   6. Make the version active, and close the form.

5. In the lookup definition for provisioning, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the AtMap.iPlanetGroup lookup definition.

   3. In the lookup definition, add an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

        
        

   Note:

   Perform steps 6 through 8 only if you want to perform request-based provisioning.

6. Update the request dataset.

   When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

   1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.

   2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

      See Also:

      The "Configuring Requests" chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager guide for more information about creating and updating request datasets

      For example, while performing Step 4 of this procedure, if you added Owner as an attribute on the process form, then enter the following line:

      <AttributeReference
      name = "Owner"
      attr-ref = "Owner"
      type = "String"
      widget = "text"
      length = "50"
      available-in-bulk = "false"/>
      

      In this AttributeReference element:

      • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

        For example, if UD_IPNT_GR_OWNER is the value in the Name column of the process form, then you must specify Owner as the value of the name attribute in the AttributeReference element.

      • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Step 4.

      • For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Step 4.

      • For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Step 4.

      • For the length attribute, enter the value that you entered in the Length column of the process form while performing Step 4.

      • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

      While performing Step 4, if you added more than one attribute on the process form, then repeat this step for each attribute added.

   3. Save and close the XML file.

7. Run the PurgeCache utility to clear content related to request datasets from the server cache.

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

8. Import into MDS, the request dataset definitions in XML format.

   See Section 2.3.1.7.3, "Importing Request Datasets into MDS" for detailed information about the procedure.

9. To test whether or not you can use the newly added attribute for provisioning, log in to the Oracle Identity Manager Administrative and User Console and perform a provisioning operation in which you specify a value for the newly added attribute.

Enabling Update of New Attributes for Provisioning of Group

After you add an attribute for provisioning Group, you must enable update operations on the attribute. If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.

To enable the update of a new multivalued attribute for provisioning:

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management.

3. Double-click Process Definition and open the iPlanet Group process definition.

4. In the process definition, add a task for setting a value for the attribute:

   1. Click Add, enter the name of the task for updating attributes, and enter the task description.

   2. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

        
        

   3. On the Integration tab, click Add, and then click Adapter.

   4. Select the adpUPDATEIPLANETGROUPATTRIBUTES adapter, click Save, and then click OK in the message.

   5. To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

      Variable Name	Data Type	Map To	Qualifier	IT Asset Type	IT Asset Property
      Adapter return value	Object	Response Code	NA	NA	NA
      AdminID	String	IT Resources	Server	LDAP Server	Admin Id
      AdminPwd	String	IT Resources	Server	LDAP Server	Admin Password
      processIntKey	String	Process Data	Process Instance	NA	NA
      rootContext	String	IT Resources	Server	LDAP Server	Root DN
      SSLFlag	String	IT Resources	Server	LDAP Server	SSL
      PropertyName	String	Literal	String	postaladdress Note: This is a sample value.	NA
      AttrLookupCode	String	IT Resources	Server	LDAP Server	AtMap.iPlanetGroup
      LDAPServer	String	IT Resources	Server	LDAP Server	Server Address
      Port	String	IT Resources	Server	LDAP Server	Port
      PropertyValue	String	Process Data and mailing address	Mailing address Note: This is a sample value.	NA	NA
      nsuniqueid	String	Process Data	nsuniqueid	NA	NA

      
      

   6. Click the Save icon and then close the dialog box.

      
      

Enabling Update of New Multivalued Attributes for Provisioning of Group

After you add a multivalued attribute for provisioning Group, you must enable update operations on the attribute.

To update a new multivalued attribute for provisioning of Groups, perform the steps mentioned in Enabling Update of New Multivalued Attributes for Provisioning section.

4.9 Adding New Attributes for Provisioning of Role

By default, the attributes listed in Section 1.6.6, "Provisioning Functions" of the connector guide are mapped for provisioning between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

1. While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations," you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context in which created the user account for connector operations.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class on which you want to perform provisioning operations.

   4. Search for the attribute that you want to add, and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_RL form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

      For example, if you want to add the Naming Contexts attribute, then enter the following values on the Additional Columns tab:

      Field	Value
      Name	NAMINGCONTEXTS
      Variant Type	String
      Length	100
      Field Label	Naming Contexts
      Order	5

      
      
      
      

   5. Save the form.

   6. Make the version active, and close the form.

5. In the lookup definition for provisioning, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the AttrMap.iPlanetRole lookup definition.

   3. In the lookup definition, add an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

        
        

   Note:

   Perform steps 6 through 8 only if you want to perform request-based provisioning.

6. Update the request dataset.

   When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

   1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.

   2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

      See Also:

      The "Configuring Requests" chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager guide for more information about creating and updating request datasets

      For example, while performing Step 4 of this procedure, if you added Naming Contexts as an attribute on the process form, then enter the following line:

      <AttributeReference
      name = "Naming Contexts"
      attr-ref = "Naming Contexts"
      type = "String"
      widget = "text"
      length = "50"
      available-in-bulk = "false"/>
      

      In this AttributeReference element:

      • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

        For example, if UD_IPNT_RL_NAMINGCONTEXTS is the value in the Name column of the process form, then you must specify Naming Contexts as the value of the name attribute in the AttributeReference element.

      • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Step 4.

      • For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Step 4.

      • For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Step 4.

      • For the length attribute, enter the value that you entered in the Length column of the process form while performing Step 4.

      • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

      While performing Step 4, if you added more than one attribute on the process form, then repeat this step for each attribute added.

   3. Save and close the XML file.

7. Run the PurgeCache utility to clear content related to request datasets from the server cache.

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

8. Import into MDS, the request dataset definitions in XML format.

   See Section 2.3.2.1.2, "Using the Certificate Signing Request to Generate the CA and SSL Certificates" for detailed information about the procedure.

9. To test whether or not you can use the newly added attribute for provisioning, log in to the Oracle Identity Manager Administrative and User Console and perform a provisioning operation in which you specify a value for the newly added attribute.

Enabling Update of New Attributes for Provisioning of Role

After you add an attribute for provisioning Role, you must enable update operations on the attribute. If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.

To enable the update of a new multivalued attribute for provisioning:

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management.

3. Double-click Process Definition and open the iPlanet Role process definition.

4. In the process definition, add a task for setting a value for the attribute:

   1. Click Add, enter the name of the task for updating attribute, and enter the task description.

   2. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

        
        

   3. On the Integration tab, click Add, and then click Adapter.

   4. Select the adpUPDATEIPLANETROLEATTRIBUTES adapter, click Save, and then click OK in the message.

   5. To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

      Variable Name	Data Type	Map To	Qualifier	IT Asset Type	IT Asset Property
      Adapter return value	Object	Response Code	NA	NA	NA
      AdminID	String	IT Resources	Server	LDAP Server	Admin Id
      AdminPwd	String	IT Resources	Server	LDAP Server	Admin Password
      processIntKey	String	Process Data	Process Instance	NA	NA
      rootContext	String	IT Resources	Server	LDAP Server	Root DN
      SSLFlag	String	IT Resources	Server	LDAP Server	SSL
      PropertyName	String	Literal	String	postaladdress Note: This is a sample value.	NA
      AttrLookupCode	String	IT Resources	Server	LDAP Server	AttrMap.iPlanetRole
      LDAPServer	String	IT Resources	Server	LDAP Server	Server Address
      Port	String	IT Resources	Server	LDAP Server	Port
      PropertyValue	String	Process Data and mailing address	Mailing address Note: This is a sample value.	NA	NA
      nsuniqueid	String	Process Data	nsuniqueid	NA	NA

      
      

   6. Click the Save icon and then close the dialog box.

      
      

Enabling Update of New Multivalued Attributes for Provisioning of Role

After you add a multivalued attribute for provisioning Role, you must enable update operations on the attribute.

To update a new multivalued attribute for provisioning of Roles, perform the steps mentioned in Enabling Update of New Multivalued Attributes for Provisioning section.

4.10 Adding New Object Classes for Reconciliation and Provisioning

To add a new object classes for reconciliation and provisioning:

Note:

You must add the mandatory attributes of each object class that you add.

1. Section 4.10.1, "Assigning Permissions for Using the Attribute"

2. Section 4.10.2, "Adding the Attributes of the Object Class to the Process Form"

3. Section 4.10.3, "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning"

4. Section 4.10.4, "Adding the Attributes of the Object Class to the Resource Object"

5. Section 4.10.5, "Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation"

6. Section 4.10.6, "Adding attributes of the Object Class to the Provisioning Process"

4.10.1 Assigning Permissions for Using the Attribute

While performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations," you create an ACI for the user account. You must add the attribute to the ACI as follows:

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Directory tab, right-click the root context in which you created the user account for connector operations.

6. From the shortcut menu, click Set Access Permissions.

7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

   The ACI that you create for the user account is displayed.

8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

   In the following sample ACI, the passportnumber attroibute has been added to the ACI:

   (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
   

9. Click OK.

4.10.2 Adding the Attributes of the Object Class to the Process Form

To add the attributes of the object class to the process form:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Development Tools folder.

3. Double-click Form Designer.

4. Search for and open the UD_IPNT_USR process form.

5. Click Create New Version, and then click Add.

6. Enter the details of the attribute.

   For example, if you are adding the Associated Domain attribute, enter UD_IPNT_USR_ASSOCIATEDDOMAIN in the Name field and then enter the other details of this attribute.

   
   

7. Click Save, and then click Make Version Active.

4.10.3 Adding the Object Class and its Attributes to the Lookup Definition for Provisioning

To add the object class and its attributes to the lookup definition for provisioning:

1. Expand the Administration folder.

2. Double-click Lookup Definition.

3. Search for and open the Lookup.iPlanet.Configuration lookup definition.

4. Add the object class name to the Decode value of the ldapUserObjectClass Code Key.

   Note:

   In the Decode column, use the vertical bar (|) as a delimiter when you add the object class name to the existing list of object class names.

   For example, if you want to add MyObjectClass in the Decode column then enter the value as follows:

   inetorgperson|MyObjectClass
   

   
   

5. Search for and open the AttrName.Prov.Map.iPlanet lookup definition.

6. Click Add and then enter the Code Key and Decode values for an attribute of the object class. The Code Key value must be the name of the field on the process form and Decode value must be the name of the field on the target system.

   For example, enter Associated Domain in the Code Key field and then enter associatedDomain in the Decode field.

   Note:

   You must perform this step for all the mandatory attributes of the object class. You can also perform this step for the optional attributes.

7. Click Save.

   
   

4.10.4 Adding the Attributes of the Object Class to the Resource Object

To add the attributes of the object class to the resource object:

Note:

You must perform this step for all the mandatory attributes of the object class. You can also perform this step for the optional attributes.

1. Expand the Resource Management folder.

2. Double-click Resource Objects.

3. Search for and open the iPlanet User resource object.

4. For each attribute of the object class:

   1. On the Object Reconciliation tab, click Add Field.

   2. Enter the details of the field.

   For example, enter Associated Domain in the Field Name field and select String from the Field Type list.

   
   

5. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

6. Click the save icon.

4.10.5 Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation

To add the object class and its attributes to the lookup definition for reconciliation, perform all the instructions given in Section 4.10.3, "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning" about the AttrName.Recon.Map.iPlanet lookup definition.

While performing Step 6 of Section 4.10.3, "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning," note that the Code Key value must be the name of the reconciliation field in the iPlanet User resource object and Decode value must be the name of the field on the target system. For example, enter Associated Domain in the Code Key field and then enter associatedDomain in the Decode field.

To include the new object class for reconciliation, add the objectclass in the search filter as shown in the following screenshot.

Table 3-2 describes the search filter attributes of the scheduled tasks.

4.10.6 Adding attributes of the Object Class to the Provisioning Process

To add the attributes of the object class to the provisioning process:

Note:

You must perform this step for all the mandatory attributes of the object class. You can also perform this step for the optional attributes.

1. Expand the Process Management folder.

2. Double-click Process Definition.

3. Search for and open the iPlanet User provisioning process.

4. On the Reconciliation Field Mappings tab, click Add Field Map.

5. In the Field Name field, select the value for the field that you want to add.

   For example, select Associated Domain = UD_IPNT_USR_ASSOCIATEDDOMAIN

6. In the Field Type field, select the field type.

7. Click the save icon.

4.11 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of Sun Java System Directory.

You may want to configure the connector for multiple installations of Sun Java System Directory. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of Sun Java System Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Sun Java System Directory.

To meet the requirement posed by such a scenario, you must create and configure one IT resource for each installation of the target system.

The IT Resources form is in the Resource Management folder. The iPlanet User Resource IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.

See Also:

For detailed instructions, see one of the following guides:

• For Oracle Identity Manager release 9.0.3.x or release 9.1.0.x:

  Oracle Fusion Middleware User's Guide for Oracle Identity Manager

• For Oracle Identity Manager release 11.1.1:

  Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the target system installation to which you want to provision the user.

Similarly, to reconcile data from a particular target system installation, specify the name of the IT resource for that target system installation as the value of the ITResource scheduled task attribute.