3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Configuring Reconciliation

• Configuring Provisioning

• Guidelines to Be Applied While Using the Connector

3.1 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Partial Reconciliation

• Batched Reconciliation

• Configuring Trusted Source Reconciliation

• Configuring the Reconciliation Scheduled Tasks

• Adding Custom Attributes for Trusted Source Reconciliation

3.1.1 Partial Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the CustomizedReconQuery IT resource parameter while performing the procedure described in the "Configuring the IT Resource" section.

The following table lists the Novell eDirectory attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery parameter.

Oracle Identity Manager Attribute	Novell eDirectory Attribute
User Id	cn
First Name	givenname
Last Name	sn
Email	mail
Middle Name	initials
Title	title
Location	l
Telephone	telephoneNumber
Department	departmentNumber
Language	preferredLanguage

The following are sample query conditions:

• givenname=John&sn=Doe

  With this query condition, records of users whose first name is John and last name is Doe are reconciled.

• givenname=John|departmentNumber=23

  With this query condition, records of users who meet either of the following conditions are reconciled:

  • The user's first name is John.

  • The user belongs to the departmentNumber 23.

If you do not specify values for the CustomizedReconQuery parameter, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

The following are guidelines to be followed while specifying a value for the CustomizedReconQuery parameter:

• For the Novell eDirectory attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.

• You must not include unnecessary blank spaces between operators and values in the query condition.

  A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

  givenname=John&sn=Doe

  givenname= John&sn= Doe

  In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

• You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

  Note:

  An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

You specify a value for the CustomizedReconQuery parameter while performing the procedure described in the "Configuring the IT Resource" section.

3.1.2 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:

• StartRecord: Use this attribute to specify the record number from which batched reconciliation must begin.

• BatchSize: Use this attribute to specify the number of records that must be included in each batch.

• NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. If you do not want to use batched reconciliation, specify All Available as the value of this attribute.

  Note:

  If you specify All Available as the value of this attribute, then the values of the StartRecord and BatchSize attributes are ignored.

You specify values for these attributes by following the instructions described in the "User Reconciliation Scheduled Task" section.

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed. The log file provides the following information about batched reconciliation:

• Serial numbers of the batches that have been successfully reconciled

• User IDs associated with the records with each batch that has been successfully reconciled

• If the batched reconciliation run fails, then the serial number of the batch that has failed

3.1.3 Configuring Trusted Source Reconciliation

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

• For each newly created user on the target system, an OIM User is created.

• Updates made to each user on the target system are propagated to the corresponding OIM User.

If you designate the target system as a target resource, then during a reconciliation run:

• For each account created on the target system, a resource is assigned to the corresponding OIM User.

• Updates made to each account on the target system are propagated to the corresponding resource.

Note:

Skip this section if you do not want to designate the target system as a trusted source for reconciliation.

Configuring trusted source reconciliation involves the following steps:

1. Import the XML file for trusted source reconciliation, eDirXLResourceObject.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

   Note:

   Only one target system can be designated as a trusted source. If you import the eDirXLResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

2. Set the value of the TrustedSource scheduled task attribute to True.

To import the XML file for trusted source reconciliation:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the eDirXLResourceObject.xml file, which is in the OIM_HOME/xellerate/eDir/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

After you import the XML file for trusted source reconciliation, you must set the value of the TrustedSource scheduled task attribute to True. See the "Configuring the Reconciliation Scheduled Tasks" section for more information.

3.1.4 Configuring the Reconciliation Scheduled Tasks

When you run the Connector Installer, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage Scheduled Task.

4. Enter the name of the first scheduled task as the search criteria and then click Search.

5. In the search results table displaying the list of scheduled tasks, click the edit icon in the Edit column of the table.

6. On the Scheduled Task Details page, you can modify the following details of the scheduled task:

   • Status: Specify whether or not you want to leave the task in the enabled state after it is created. In the enabled state, the task is ready for use. If the task is disabled, then you must enable it before you can use it.

   • Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 1.

   • Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

   • Frequency: Specify the frequency at which you want the task to run.

7. Click Continue.

8. Specify values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" for information about the attributes.

9. Click Save Changes to commit all the changes to the database.

10. Repeat Steps 3 through 9 for the second scheduled task.

After you configure both scheduled tasks, proceed to the "Configuring Provisioning" section.

3.1.4.1 Specifying Values for the Scheduled Task Attributes

This section provides information about the attribute values to be specified for the following scheduled tasks:

• Lookup Fields Reconciliation Scheduled Task

• User Reconciliation Scheduled Task

3.1.4.1.1 Lookup Fields Reconciliation Scheduled Task

You must specify values for the following attributes of the eDirectory Lookup Reconciliation Task reconciliation scheduled task.

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• You must create a scheduled task for each master lookup data reconciliation: group, role, and profile.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Sample/Default Value
AttrTask	Name of the attribute task	For organizations: o For domain scope and organizational units: ou For groups, roles, and profiles cn
LookupCodeName	Name of the lookup definition to which the values are to be reconciled	For organizational units and organizations: Lookup.EDIR.Organization For domain scope: Lookup.EDIR.DomainScope For groups: Lookup.EDIR.UserGroup For roles: Lookup.EDIR.AssignedRole For profiles: Lookup.EDIR.Profile
ITResourceName	Name of the IT resource for setting up a connection with Novell eDirectory	eDirectory IT Resource
SearchContext	Search context to be used for searching for users	o=PXED-DEV
ObjectClass	Name of the object class	For Organizational units and domain scope: OrganizationalUnit For groups: group For roles: rBSRole For profiles: profile For organizations: organization
CodeKeyLTrimStr	The default value of this attribute is [None]. Do not change this value.	[NONE]
CodeKeyRTrimStr	String value for right-trimming the value obtained from the search If there is nothing to be trimmed, then specify the value [NONE].	,o=PXED-DEV
ReconMode	Specify REFRESH to completely refresh the existing lookup. Specify UPDATE if you want to update the lookup with new values.	REFRESH or UPDATE

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

3.1.4.1.2 User Reconciliation Scheduled Task

You must specify values for the following attributes of the eDirectory User Recon Task scheduled task.

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Sample/Default Value
ITResourceName	Name of the IT resource for setting up a connection with Novell eDirectory	eDirectory IT Resource
ResourceObjectName	Name of the resource object into which users need to be reconciled	eDirectory User
XLDeleteUsersAllowed	If this attribute is set to true, then the Delete reconciliation event is started when the scheduled task is run. Users who are deleted from the target system are removed from Oracle Identity Manager. This requires all the users on the target system to be compared with all the users in Oracle Identity Manager. Note: This process affects performance.	true
UserContainer	DN value from where users are reconciled into Oracle Identity Manager	o=PXED-DEV
Keystore	Directory path to the Novell eDirectory keystore This is required to make a secure SSL connection. If an SSL connection is not required, then specify the value[NONE].	E:\j2sdk1.4.2_05\jre\lib\security\cacerts or [NONE]
TrustedSource	Specifies whether trusted source reconciliation is to be performed If you want to perform target resource reconciliation, then change the value of this attribute to False.	True
TargetResourceObjectName	Specifies the name of the resource object for target resource reconciliation Do not change the value of this attribute.	eDirectory User
TrustedResourceObjectName	Specifies the name of the resource object (Xellerate User) for trusted source reconciliation Do not change the value of this attribute.	Xellerate User
Xellerate Type	Default xellerate type for the Xellerate User (OIM User)	End-User Administrator
Organization	Default organization for the Xellerate User (OIM User)	Xellerate Users
Role	Default role for the Xellerate User (OIM User)	Consultant
StartRecord	Specifies the start record for batching process This attribute is also discussed in the "Batched Reconciliation" section.	1
BatchSize	Specifies how many records must be there in a batch This attribute is also discussed in the "Batched Reconciliation" section.	1
NumberOfBatches	Specifies the number of batches that must be reconciled This attribute is also discussed in the "Batched Reconciliation" section.	Default value: All Available (for reconciling all the users) Sample value: 50

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

Stopping Reconciliation

Suppose the User Reconciliation Scheduled Task for the connector is running and user records are being reconciled. If you want to stop the reconciliation process:

1. Perform Steps 1 through 4 of the procedure to configure reconciliation scheduled tasks.

2. Select the Stop Execution check box in the task scheduler.

3. Click Save.

3.1.5 Adding Custom Attributes for Trusted Source Reconciliation

Note:

You must ensure that the custom attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in the "Reconciled Xellerate User (OIM User) Fields" section are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for trusted resource reconciliation.

1. Log in to the Oracle Identity Manager Design Console.

2. Add the new attribute on the OIM User process form as follows:

   1. Expand Administration.

   2. Double-click User Defined Field Definition.

   3. Search for and open the User form.

   4. Click Add.

   5. In the User Defined Fields dialog box, enter the details of the attribute.

      For example, if you are adding the Title attribute, then enter the following details in the User Defined Fields dialog box:

      • In the Label field, enter Title.

      • From the Data Type list, select String.

      • From the Field Type list, select Text Field.

      • In the Column Name field, enter USR_UDF_TITLE.

      • In the Field Size field, enter 100.

   6. Click Save.

3. Add the new attribute to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the Xellerate User resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. Enter the details of the attribute.

      For example, enter Title in the Field Name field and select String from the Field Type list.

   6. Click Save.

4. Create a reconciliation field mapping for the new attribute in the process definition as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the Xellerate User process definition.

   4. On the Reconciliation Field Mappings tab, click Add Field Map.

   5. In the Field Name field, select the value for the attribute that you want to add.

      For example, select Title = Title.

   6. Click Save.

5. Create an entry for the attribute in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the AttrName.Recon.Map.EDIR lookup definition.

   4. Click Add and enter the Code Key and Decode values for the attribute. The Code Key value must be the name of the attribute given in the resource object. The Decode value is the name of the attribute in the target system.

      For example, enter Title in the Code Key field and then enter Title in the Decode field.

   5. Click Save.

3.2 Configuring Provisioning

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

This section discusses the following topics related to configuring provisioning:

• Compiling Adapters

• Enabling Provisioning of Users in Organizations and Organizational Units

• Provisioning Organizational Units, Groups, and Roles

• Adding Custom Object Classes for Provisioning

3.2.1 Compiling Adapters

Note:

You must perform the procedure described in this section if you want to use the provisioning features of Oracle Identity Manager for this target system.

You need not perform the procedure to compile adapters if you have performed the procedure described in "Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later".

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

See Also:

The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector

• EDIR Create User

• EDIR Delete User

• EDIR Modify User

• EDIR Move User

• EDIR Add User to Group

• EDIR Remove User from Group

• EDIR Add Trustee Right to User

• EDIR Remove Trustee Right from User

• EDIR Add Assigned Role to User

• EDIR Remove Assigned Role from User

• EDIR Add Network Restriction

• EDIR Remove Network Restriction

• EDIR PP String

• Update eDirectory Role Details

• Update eDirectory Group Details

• EDIR Delete Group

• EDIR Create Group

• EDIR Remove User from Group

• Chk Process Parent Org eDir

• EDIR Create OU

• EDIR Remove User from Role

• EDIR Create Role

• EDIR Delete Role

• EDIR Move OU

• EDIR Change Org Name

• EDIR Delete OU

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_HOME/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

3.2.2 Enabling Provisioning of Users in Organizations and Organizational Units

Note:

This section describes an optional procedure. You need not perform this procedure if you do not want to enable provisioning of users in organizations.

In the AttrName.Prov.Map.EDIR lookup definition, the following are default settings for enabling provisioning of users in organizational units:

• ldapOrgDNPrefix=ou

• ldapOrgUnitObjectClass=OrganizationalUnit

If you want to enable the provisioning of users in organizations, then change these settings as follows:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about modifying lookup definitions

• ldapOrgDNPrefix=o

• ldapOrgUnitObjectClass=organization

3.2.3 Provisioning Organizational Units, Groups, and Roles

To provision an organizational unit:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Expand Organizations.

3. Click Create.

4. Specify a name and the type for the organization that you want to create, and then click Create Organization.

5. Select Resource Profile from the list.

6. Click Provision New Resource.

7. Select the organizational unit option.

8. Click Continue, and then click Continue again.

9. From the IT server lookup field, select the resource object corresponding to the required IT resource.

10. Click Continue, and then click Continue again on the Verification page.

To provision a group or role:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Expand Organizations.

3. Click Manage.

4. Search for the organizational unit under which you want to provision the group or role.

5. Select Resource Profile from the list.

6. Click Provision New Resource.

7. On this page, the option that must select depends on what you want to create:

   • Select the group option if you want to create a group.

   • Select the role option if you want to create a group.

8. Click Continue, and then click Continue again on the Verification page.

9. Enter a name for the group or role.

10. From the IT server lookup field, select the IT resource.

11. Click Continue, and then click Continue again on the Verification page.

3.2.4 Adding Custom Object Classes for Provisioning

Note:

Perform the procedure described in this section only if you want to add custom object classes for provisioning organizational units, groups, or roles.

By default, newly created organizational units, groups, and roles on the target system are assigned to the organizational unit, group, and role object classes, respectively.

The organizational unit object class is the value of the ldapOrgUnitObjectClass attribute in the AttrName.Prov.Map.EDIR lookup definition. Similarly, the group and role object classes are the values of the ldapGroupObjectClass and ldapRoleObjectClass attributes in the AttrName.Prov.Map.EDIR lookup definition, respectively.

If you want to assign new organizational units, groups, or roles to additional object classes, then enter the list of object classes in the Decode column for their respective attributes in the lookup definition. Use the vertical bar (|) to separate the object class names in the value that you specify.

The following are sample values for the ldapGroupObjectClass entry:

• group

• mygroup

• group|mygroup

To add object classes for organizational units, groups, or roles:

1. On the Design Console, expand Administration, and then double-click Lookup Definition.

2. Search for and open the AttrName.Prov.Map.EDIR lookup definition.

3. Perform one of the following:

   Note:

   In the Decode column, use the vertical bar (|) as a delimiter when you add the object class name to the existing list of object class names.

   • To add an object class for an organizational unit, enter the object class name in the Decode column of the ldapOrgUnitObjectClass Code Key.

   • To add an object class for a group, add the object class name to the Decode value of the ldapGroupObjectClass Code Key.

   • To add an object class for a role, add the object class name to the Decode value of the ldapRoleObjectClass Code Key.

4. Click the save icon.

3.3 Guidelines to Be Applied While Using the Connector

Apply the following guidelines while using the connector:

• Some Asian languages use multibyte character sets. If the character limit for the fields in the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this limitation:

  Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.