1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with Sun Java System Directory.

This chapter contains the following sections:

Note:

At some places in this guide, Sun Java System Directory has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.0.3.2 or later

    Note: In this guide, Oracle Identity Manager release 9.0.3.x has been used to denote Oracle Identity Manager release 9.0.3.2 and later releases in the 9.0.3.x series that the connector supports.

  • Oracle Identity Manager release 9.1.0.1 or later

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support.

  • Oracle Identity Manager 11g release 1 (11.1.1)

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).

Target systems

The target system can be one of the following:

  • Sun ONE Directory Server 5.2

  • Sun Java System Directory Server Enterprise Edition 6.3, 7.0

Target system user account

Sun Java System Directory user account to which the Read, Write, Add, Delete, and Search permissions have been assigned

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in the guide.

If you try to perform an operation for which the required permission has not been assigned to the user account, then the "Insufficient Privileges" message is displayed.

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.0.3.2 or later versions in the 9.0.3.x series, use JDK 1.4.2 or a later release in the 1.4.2 series.

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.6 update 5 or later.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6 update 18 or later, or JRockit JDK 1.6 update 17 or later.

1.2 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese Simplified

  • Chinese Traditional

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

1.3 Connector Architecture

Figure 1-1 shows the connector integrating Sun Java System Directory with Oracle Identity Manager.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

The connector can be configured to run in one of the following modes:

Note:

In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

  • Identity Reconciliation

    In the identity reconciliation mode, Sun Java System Directory Server is used as the trusted source and users are directly created and modified on it.

    During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.

    Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is copied to the OIM User attributes. If no match is found, then the target system record is used to create an OIM User.

  • Account Management

    In the account management mode, Sun Java System Directory Server is used as a target resource. The connector enables the target resource reconciliation and provisioning operations. Through provisioning operations performed on Oracle Identity Manager, user accounts are created and updated on the target system for OIM Users. During reconciliation from the target resource, the Sun Java System Directory connector fetches into Oracle Identity Manager data about user accounts that are created or modified on the target system. This data is used to add or modify resources allocated to OIM Users.

    During provisioning operations, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.

    During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.

1.4 Features of the Connector

1.4.1 Support for Both Target Resource and Trusted Source Reconciliation

You can use the connector to configure Sun Java System Directory as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.4, "Configuring Reconciliation" for more information.

1.4.2 Support for Limited Reconciliation

You can set a reconciliation filter as the value of the SearchFilter attribute of the scheduled tasks. This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Section 3.4.1, "Limited Reconciliation" for more information.

1.4.3 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.4.2, "Batched Reconciliation" for more information.

1.4.4 Support for Both Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled from the next run of the user reconciliation.

You can perform a full reconciliation run at any time.

1.4.5 Support for Adding New Single-Valued and Multivalued Attributes for Reconciliation and Provisioning

If you want to add to the standard set of single-valued and multivalued attributes for reconciliation and provisioning, then perform the procedures described in Chapter 4, "Extending the Functionality of the Connector."

1.4.6 Support for Reconciliation of Deleted User Records

You can configure the connector for reconciliation of deleted user records. In target resource mode, if a record is deleted on the target system, then the corresponding iPlanet resource is revoked from the OIM User. In trusted source mode, if a record is deleted on the target system, then the corresponding OIM User is deleted.

1.4.7 Support for High-Availability Configuration of the Target System

The connector can be configured to work with high-availability target system environments. If the primary installation becomes unavailable, then the connector reads information about backup target system installations from the lookup.iPlanet.BackupServers lookup definition and uses this information to switch to a backup target system installation. See Section Section 2.3.1.5, "Configuring High Availability of the Target System" for more information.

1.5 Lookup Definitions Used During Connector Operations

Lookup definitions used during connector operations can be divided into the following categories:

1.5.1 Lookup Definitions Synchronized with the Target System

The following lookup definitions are populated with values fetched from the target system by the scheduled tasks for lookup field synchronization:

See Also:

Section 3.3, "Lookup Field Synchronization" for information about these scheduled tasks

  • For organizations and organization units: Lookup.IPNT.Organization

  • For groups: Lookup.IPNT.UserGroup

  • For roles: Lookup.IPNT.Role

1.5.2 Other Lookup Definitions

Table 1-2 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

Table 1-2 Other Lookup Definitions

Lookup Definition Description of Values Method to Specify Values for the Lookup Definition

Lookup.iPlanet.Configuration

This lookup definition holds connector configuration entries that are used during reconciliation and provisioning.

Some of the entries in this lookup definition are preconfigured. See Section 2.3.1.4.1, "Setting Up the Lookup.iPlanet.Configuration Lookup Definition" for information about the entries for which you can set values.

Lookup.iPlanet.Constants

This lookup definition stores values that are used internally by the connector. The connector development team can use this lookup definition to make minor configuration changes in the connector.

You must not modify the entries in this lookup definition. See Section 2.3.1.4.3, "Setting Up the Lookup.iPlanet.Constants Lookup Definition" for more information about the entries for which you can set values.

AttrName.Recon.Map.iPlanet

This lookup definition holds mappings between the iPlanet User resource object fields and target system attributes.

This lookup definition is preconfigured. Table 1-3 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for user reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information.

AttrName.Prov.Map.iPlanet

This lookup definition holds mappings between iPlanet User process form fields and target system attributes.

This lookup definition is preconfigured. Table 1-3 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for user provisioning. Chapter 4, "Extending the Functionality of the Connector" provides more information.

Lookup.iPlanetGroupReconciliation.FieldMap

This lookup definition holds mappings between iPlanet Group resource object fields and target system attributes.

This lookup definition is preconfigured. Table 1-4 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for group reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information.

AtMap.iPlanetGroup

This lookup definition holds mappings between iPlanet Group process form fields and target system attributes.

This lookup definition is preconfigured. Table 1-4 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for group provisioning. Chapter 4, "Extending the Functionality of the Connector" provides more information.

Lookup.iPlanetRoleReconciliation.FieldMap

This lookup definition holds mappings between iPlanet Role resource object fields and target system attributes.

This lookup definition is preconfigured. Table 1-5 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for role reconciliation. Chapter 4, "Extending the Functionality of the Connector" provides more information.

AttrMap.iPlanetRole

This lookup definition holds mappings between iPlanet Role process form fields and target system attributes.

This lookup definition is preconfigured. Table 1-5 lists the default entries in this lookup definition. You can add entries in this lookup definition if you want to map new target system attributes for group provisioning. Chapter 4, "Extending the Functionality of the Connector" provides more information.

lookup.iPlanet.BackupServers

This lookup definition holds mappings between primary iPlanet servers and secondary iPlanet servers.

It is optional to enter values in this lookup definition. Section 2.3.1.5, "Configuring High Availability of the Target System" provides information about this lookup definition

Lookup.IPNT.CommLang

During a provisioning operation, you use this lookup definition to specify a language for the user.

Section 2.3.1.4.2, "Setting Up the Lookup.IPNT.CommLang Lookup Definition" provides information about creating entries in this lookup definition.

1.6 Connector Objects Used During Target Resource Reconciliation and Provisioning

The following sections provide information about connector objects used during reconciliation:

See Also:

For conceptual information about reconciliation, see one of the following guides:

1.6.1 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Field Description

User ID

uid

User ID

First Name

givenname

First name

Last Name

sn

Last name

Middle Initial

initials

Middle name

Department

departmentnumber

Department

Location

l

Location

Telephone

telephonenumber

Telephone

Email

mail

Email

Communication Language

preferredlanguage

Communication language

Title

title

Title

Container DN

NA

Container in which the user is present on the target system

For example: o=abc,dc=Company

Group

uniquemember

The Group attribute which holds the User ID of its members.

Role

nsroledn

The User attribute which holds the roles for which the user is assigned.

nsuniqueid

nsuniqueid

Unique ID for User

Common Name

cn

Common Name

Status

nsaccountlock

The attribute which holds the value of user status in target system.

1.6.2 Group Attributes for Target Resource Reconciliation and Provisioning

Table 1-4 provides information about group attribute mappings for target resource reconciliation and provisioning.

Note:

If you are using Oracle Identity Manager release 11.1.1, then you cannot reconcile data from group attributes of the target system. This is tracked by Bug 9799541 in Chapter 6, "Known Issues."

Table 1-4 Group Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Group Attribute Description

Group Name

cn

Group name

Organization

NA

Container in which the group object is located on the target system

nsuniqueid

nsuniqueid

nsuniqueid of the group

1.6.3 Role Attributes for Target Resource Reconciliation and Provisioning

Table 1-5 provides information about role attribute mappings for target resource reconciliation and provisioning.

Note:

If you are using Oracle Identity Manager release 11.1.1, then you cannot reconcile data from role attributes of the target system. This is tracked by Bug 9799541 in Chapter 6, "Known Issues."

Table 1-5 Role Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Role Attribute Description

Role Name

cn

Role name

Organization

NA

Container in which the role object is located on the target system

nsuniqueid

nsuniqueid

nsuniqueid of the group

1.6.4 Reconciliation Rule for Target Resource Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

The following is the process-matching rule:

Rule name: iPlanet Recon User

Rule element: (NsuniqueID Equals NsuniqueID) OR (User Login Equals User ID)

In the first rule component:

  • NsuniqueID to the left of "Equals" is the NsuniqueID of the resource assigned to the OIM User.

  • NsuniqueID to the right of "Equals" is the NsuniqueID of the resource on the target system.

In the second rule component:

  • User Login is one of the following:

    • For Oracle Identity Manager Release 9.0.3.x:

      User ID attribute on the Xellerate User form.

    • For Oracle Identity Manager release 9.1.0.x or release 11.1.1:

      User ID attribute on the OIM User form.

  • User ID is the UID field on the target system.

This rule supports the following scenarios:

  • You can provision multiple Sun Java System Directory resources to the same OIM User, either on Oracle Identity Manager or directly on the target system.

  • You can change the user ID of a user on the target system.

This is illustrated by the following use cases:

  • Use case 1: You provision a Sun Java System Directory account for an OIM User, and you also create an account for the user directly on the target system.

    When the first rule condition is applied, no match is found. Then, the second rule condition is applied and it is determined that a second account has been given to the user on the target system. The second account is linked with the OIM User at the end of the reconciliation run.

  • Use case 2: An OIM User has a Sun Java System Directory account. You then change the user ID of the user on the target system.

    During the next reconciliation run, application of the first rule condition helps match the resource with the record.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for iPlanet User. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

    Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.6.5 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-6 lists the action rules for target resource reconciliation.

Table 1-6 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the iPlanet User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.6.6 Provisioning Functions

Table 1-7 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-7 Provisioning Functions

Function Adapter

Create User

iPlanet Create User

Delete User

iPlanet Delete User

Enable User

iPlanet Modify User

Disable User

iPlanet Modify User

Move User from One Container to Another

iPlanet Move User

Password Updated

iPlanet Modify User

First Name Updated

iPlanet Modify User

Last Name Updated

iPlanet Modify User

Department Updated

iPlanet Modify User

Email ID Updated

iPlanet Modify User

Location Updated

iPlanet Modify User

Middle Name Updated

iPlanet Modify User

Communication Language Updated

iPlanet Modify User

Telephone Updated

iPlanet Modify User

Title Updated

iPlanet Modify User

Container DN Updated

iPlanet Move User

Add User to Group

iPlanet Add User to Group

Remove User from Group

iPlanet Remove User From Group

Add User to Role

iPlanet Add Role to User

Remove User from Role

iPlanet Remove Role from user

Create OU

iPlanet Create OU

Change OU Name

iPlanet Change Org Name

Delete OU

iPlanet Delete OU

Move OU

iPlanet Move OU

Create iPlanet Group

iPlanet Create Group

Delete iPlanet Group

iPlanet Delete Group

Group Name Updated

Update iPlanet Group Details

Create iPlanet Role

iPlanet Create Role

Delete iPlanet Role

iPlanet Delete Role

Role Name Updated

Update iPlanet Role Details

Common Name Updated

iPlanet Modify User

User ID Updated

iPlanet Modify User

1.7 Connector Objects Used During Trusted Source Reconciliation

The following sections provide information about connector objects used during trusted source reconciliation:

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-8 lists user attributes for trusted source reconciliation.

Table 1-8 User Attributes for Trusted Source Reconciliation

OIM User Form Field Target System Attribute Description

User ID

cn

Common name

First Name

givenname

Given name

Last Name

sn

Last name

Employee Type

NA

Default value: Consultant

User Type

NA

Default value: End-User Administrator

Organization

NA

Default value: Xellerate Users

1.7.2 Reconciliation Rule for Trusted Source Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

The following is the process matching rule:

Rule name: Trusted Source recon Rule

Rule element: User Login Equals User ID

In this rule element:

  • User Login is one of the following:

    • For Oracle Identity Manager Release 9.0.3.x:

      User ID attribute on the Xellerate User form.

    • For Oracle Identity Manager release 9.1.0.x or release 11.1.1:

      User ID attribute on the OIM User form.

  • User ID is the cn field of Sun Java System Directory.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for Trusted Source recon Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.

    Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

    Description of Figure 1-4 follows
    Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-9 lists the action rules for target resource reconciliation.

Table 1-9 Action Rules for Target Source Reconciliation

Rule Condition Action

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the Xellerate User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.

    Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation"

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: