3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Configuring Reconciliation of Users

• Configuring Provisioning of Users

• Adding New Attributes for Target Resource Reconciliation

• Adding New Attributes for Group or Role Reconciliation

• Adding New Attributes for Trusted Source Reconciliation

• Adding New Multivalued Attributes for Target Resource Reconciliation

• Adding New Attributes for Provisioning

• Adding New Attributes for Provisioning of Group or Role

• Adding New Object Classes

• Configuring the Connector for Multiple Installations of the Target System

• Guidelines to Be Applied While Using the Connector

3.1 Configuring Reconciliation of Users

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

Note:

By default, the target system server has a limitation on the maximum number of users whose data can be reconciled. If you want to reconcile user data in bulk amounts exceeding the maximum limit allowed by the target system server, then perform the following:

1. Open the Sun ONE Directory Server console.

2. Click the Configuration tab.

3. Select Performance on the left panel. On the Client Control tab, select the Unlimited check boxes for the Size limit and Look-through limit fields.

• Partial Reconciliation

• Batched Reconciliation

• Configuring Trusted Source Reconciliation

• Configuring the Reconciliation Scheduled Tasks

3.1.1 Partial Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying a value for the searchfilter attribute while configuring the scheduled task for user reconciliation.

You can use the Sun Java System Directory attributes to build a query condition. You specify this query condition as the value of the searchfilter attribute.

The following are sample query conditions that can be specified as the value of the searchfilter attribute:

• (&(objectClass=inetOrgPerson)(givenname=John))

• (&(objectClass=inetOrgPerson)(sn=Doe))

• (&(&(sn=Doe)(givenname=John))(objectClass=inetOrgPerson))

• (|(|(sn=lastname)(givenname=firstname))(objectClass=inetOrgPerson))

Other target system attributes, such as cn, uid, and mail, can also be used to build the query condition.

When you specify a value for the searchfilter attribute, then only the records that meet both of the following criteria are reconciled:

• Records that meet the matching criteria specified by the searchfilter attribute

• Records that are added or updated after the time-stamp value specified by the time-stamp IT resource parameter

Note:

As mentioned earlier in the guide, the value of the time-stamp IT resource parameter is automatically updated by Oracle Identity Manager. You must not change the value of this parameter.

The following are guidelines to be followed while specifying a value for the searchfilter attribute:

• For the Sun Java System Directory attributes, you must use the same case (uppercase or lowercase) as given in the target system. This is because attribute names are case-sensitive.

• You must not include unnecessary blank spaces between operators and values in the query condition.

  A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators.

• You must not include special characters other than the equal sign (=), ampersand (&), vertical bar (|), and parentheses (()) in the query condition.

  Note:

  An exception is thrown if you include special characters other than the ones specified here.

As mentioned earlier in this section, you specify a value for the searchfilter attribute while configuring the scheduled task for user reconciliation.

3.1.2 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you use the BatchSize user reconciliation scheduled task attribute. This attribute is used to specify the number of records that must be included in each batch fetched from the target system.

Note:

You must specify a numeric value for the BatchSize attribute.

If you specify 0 as the value, then all records are fetched from the target system. In other words, batched reconciliation is not performed.

Caution:

For reconciliation of deleted users, you must accept the default value of 0. If you change this value, then records of existing users will be deleted from Oracle Identity Manager.

You specify a value for the BatchSize attribute while performing the procedure described in the "User Reconciliation Scheduled Task" section.

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed. The log file provides the following information about batched reconciliation:

• Serial numbers of the batches that have been successfully reconciled

• User IDs associated with the records with each batch that has been successfully reconciled

• If the batched reconciliation run fails, then the serial number of the batch that has failed

3.1.3 Configuring Trusted Source Reconciliation

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

• For each newly created user on the target system, an OIM User is created.

• Updates made to each user on the target system are propagated to the corresponding OIM User.

If you designate the target system as a target resource, then during a reconciliation run:

• For each account created on the target system, a resource is assigned to the corresponding OIM User.

• Updates made to each account on the target system are propagated to the corresponding resource.

Note:

Skip this section if you do not want to designate the target system as a trusted source for reconciliation.

Configuring trusted source reconciliation involves the following steps:

1. Import the XML file for trusted source reconciliation, iPlanetXLResourceObject.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

   Note:

   Only one target system can be designated as a trusted source. If you import the iPlanetXLResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

2. Set the TrustedSource scheduled task attribute to True. You specify a value for this attribute while configuring the user reconciliation scheduled task, which is described later in this guide.

To import the XML file for trusted source reconciliation:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the iPlanetXLResourceObject.xml file, which is in the OIM_HOME/xellerate/iPlanet/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

After you import the XML file for trusted source reconciliation, you must set the value of the TrustedSource reconciliation scheduled task attribute to True. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.

3.1.4 Configuring the Reconciliation Scheduled Tasks

When you perform the procedure described in the "Importing the Connector XML File" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

5. For the first scheduled task, enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the FAILED status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

11. Repeat Steps 5 through 10 to create the second scheduled task.

After you configure both scheduled tasks, proceed to the "Configuring Provisioning of Users" section.

3.1.4.1 Specifying Values for the Scheduled Task Attributes

This section provides information about the attribute values to be specified for the following scheduled tasks:

• Lookup Fields Reconciliation Scheduled Task

• User Reconciliation Scheduled Task

• Group and Role Reconciliation Scheduled Task

3.1.4.1.1 Lookup Fields Reconciliation Scheduled Task

The following scheduled tasks are used for lookup fields reconciliation:

• iPlanet Organization Lookup Reconciliation

• iPlanet Role Lookup Reconciliation

• iPlanet Group Lookup Reconciliation

You must specify values for the attributes of these scheduled tasks. The following table describes these attributes:

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
LookupCodeName	Name of the lookup definition to which values are to be reconciled	The value is one of the following: For groups: Lookup.IPNT.UserGroup For roles: Lookup.IPNT.Role For organizations and organizational units: Lookup.IPNT.Organization
ITResourceName	Name of the IT resource for setting up a connection with Sun Java System Directory	iPlanet User
SearchContext	Search context to be used for searching for users	dc=corp,dc=myorg,dc=com
ObjectClass	Name of the object class	The value is one of the following: For group lookup reconciliation: groupOfUniqueNames For role lookup reconciliation: ldapSubEntry For organization lookup reconciliation: organization For organizational unit lookup reconciliation: organizationalunit
CodeKeyLTrimStr	String value for left-trimming the value obtained from the search If there is nothing to be trimmed, then specify the value [NONE].	cn= or uid=
CodeKeyRTrimStr	String value for right-trimming the value obtained from the search If there is nothing to be trimmed, then specify the value [NONE].	,dc=corp,dc=myorg,dc=com
ReconMode	Specify REFRESH to completely refresh the existing lookup definition. Specify UPDATE to update the lookup definition with new or modified values.	REFRESH or UPDATE (specified in uppercase)
AttrType	Attribute type of group, role, or organization	The value is one of the following: For group and role lookup reconciliation: cn For organization lookup reconciliation: o For organizational unit lookup reconciliation: ou
ConfigurationLookup	Name of the lookup definition that stores configuration information used during connector operations Do not change the default value.	IPNT.Parameter

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

3.1.4.1.2 User Reconciliation Scheduled Task

The following scheduled tasks are used for user reconciliation:

• iPlanet User Trusted Recon Task

• iPlanet User Target Recon Task

• iPlanet Target Delete User Recon Task

• iPlanet Trusted Delete User Recon Task

You must specify values for the attributes of these scheduled tasks. The following table describes these attributes:

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
BatchSize	This attribute is used for batched reconciliation. It specifies the number of records that must be included in each batch. Caution: For reconciliation of deleted users, you must accept the default value of 0. If you change this value, then records of existing users will be deleted from Oracle Identity Manager. See Also: The "Batched Reconciliation" section	Default value: 0
ConfigurationLookup	Name of the lookup definition that stores configuration information used during connector operations Do not change the default value.	IPNT.Parameter
ITResourceName	Name of the IT resource for setting up a connection with Sun Java System Directory	iPlanet User
Organization	Name of the organization in Oracle Identity Manager to which you want to reconcile users Note: This attribute is specific to the iPlanet User Trusted Recon Task scheduled task.	Xellerate Users
Role	Name of the role in Oracle Identity Manager that you want to assign to newly reconciled users Note: This attribute is specific to the iPlanet User Trusted Recon Task scheduled task.	Consultant
SearchBase	DN in which the search for user accounts is rooted in Note: For the iPlanet Target Delete User Recon Task and iPlanet Trusted Delete User Recon Task scheduled tasks, ensure that the value of this attribute is the root context.	ou=myou,dc=corp,dc=com or dc=corp, dc=com
SearchFilter	LDAP search filter used to locate an organization accounts See "Partial Reconciliation" for more information.	(objectClass=inetOrgPerson)
SearchScope	Search scope used to locate user accounts Note: For the iPlanet Target Delete User Recon Task and iPlanet Trusted Delete User Recon Task scheduled tasks, ensure that the value of this attribute is subtree.	subtree or onelevel
TrustedResourceObjectName	Name of the resource object for trusted source user reconciliation and deleted user reconciliation Note: This attribute is specific to the iPlanet User Trusted Recon Task and iPlanet Trusted Delete User Recon Task scheduled tasks.	Xellerate User
TargetResourceObjectName	Name of the resource object for target resource user reconciliation and deleted user reconciliation Note: This attribute is specific to the iPlanet User Target Recon Task and iPlanet Target Delete User Recon Task scheduled tasks.	iPlanet User

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

3.1.4.1.3 Group and Role Reconciliation Scheduled Task

The following scheduled tasks are used for group and role reconciliation:

• iPlanet Group Recon Task

• iPlanet Role Recon Task

You must specify values for the attributes of these scheduled tasks. The following table describes these attributes:

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
ConfigurationLookup	Name of the lookup definition that stores configuration information used during connector operations Do not change the default value.	IPNT.Parameter
Field Lookup Code	Name of the lookup definition that stores reconciliation field mappings for group or role connector operations Provide the corresponding reconciliation look up mappings	Lookup.iPlanetRoleReconciliation.FieldMap Lookup.iPlanetGroupReconciliation.FieldMap
isRoleRecon	Specifies if the recon is group or role reconciliation If it is group recon it is no. But, if it is role recon it is yes.	Yes/No
ITResourceName	Name of the IT resource for setting up a connection with Sun Java System Directory	iPlanet User
MultiValued Attributes	Set of multivalued attributes are added here separated by the | operator Example: <phones|pager>	None
ResourceObjectName	Name of the resource object for reconciliation of Group or Role	iPlanet Role/iPlanet Group
SearchBase	DN in which the search for Group or Role is rooted in	ou=myou,dc=corp,dc=com or dc=corp, dc=com
SearchFilter	LDAP search filter used to locate Group or Role	(objectClass=groupOfUniqueNames)/ (objectClass=ldapsubentry)

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

Stopping Reconciliation

Suppose the User Reconciliation Scheduled Task for the connector is running and user records are being reconciled. If you want to stop the reconciliation process:

1. Perform Steps 1 through 4 of the procedure to configure reconciliation scheduled tasks.

2. Select the Stop Execution check box in the task scheduler.

3. Click Save.

3.2 Configuring Provisioning of Users

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

This section discusses the following topics related to configuring provisioning:

• Compiling Adapters

• Enabling Provisioning of Users in Organizations and Organizational Units

• Provisioning Organizational Units, Groups, and Roles

3.2.1 Compiling Adapters

Note:

You must perform the procedure described in this section if you want to use the provisioning features of Oracle Identity Manager for this target system.

You need not perform the procedure to compile adapters if you have performed the procedure described in "Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later".

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

See Also:

The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector

• Update iPlanet Role Details

• iPlanet PP String

• iPlanet Common Name PP String

• iPlanet Create OU

• iPlanet Delete OU

• iPlanet Move OU

• iPlanet Create Role

• iPlanet Delete Role

• iPlanet Add User to Group

• iPlanet Create Group

• iPlanet Remove User From Group

• iPlanet Create User

• iPlanet Change Org Name

• iPlanet Delete User

• iPlanet Remove Role from user

• iPlanet Delete Group

• Update iPlanet Group Details

• Chk Process Parent Org

• iPlanet Add Role to User

• iPlanet Move User

• iPlanet Modify User

• iPlanet Add Multivalue Attribute

• iPlanet Remove Multivalue Attribute

• iPlanet Update Multivalue Attribute

• Update iPlanet Group Attributes

• Update iPlanet Role Attributes

• iPlanet Move Group

• iPlanet Move Role

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_HOME/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

3.2.2 Enabling Provisioning of Users in Organizations and Organizational Units

Note:

This section describes an optional procedure. You need not perform this procedure if you do not want to enable provisioning of users in organizations.

In the AttrName.Prov.Map.iPlanet lookup definition, the following are default settings for enabling provisioning of users in organizational units:

• ldapOrgDNPrefix=ou

• ldapOrgUnitObjectClass=OrganizationalUnit

If you want to enable the provisioning of users in organizations, then change these settings as follows:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about modifying lookup definitions

• ldapOrgDNPrefix=o

• ldapOrgUnitObjectClass=organization

3.2.3 Provisioning Organizational Units, Groups, and Roles

To provision an organizational unit:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Expand Organizations.

3. Click Create.

4. Specify a name and the type for the organization that you want to create, and then click Create Organization.

5. Select Resource Profile from the list.

6. Click Provision New Resource.

7. Select the organizational unit option.

8. Click Continue, and then click Continue again.

9. From the IT server lookup field, select the resource object corresponding to the required IT resource.

10. Click Continue, and then click Continue again on the Verification page.

To provision a group or role:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Expand Organizations.

3. Click Manage.

4. Search for the organizational unit under which you want to provision the group or role.

5. Select Resource Profile from the list.

6. Click Provision New Resource.

7. On this page, the option that must select depends on what you want to create:

   • Select the group option if you want to create a group.

     The default settings to enable provisioning of Groups in organizational units in the AtMap.iPlanetGroup lookup definition are listed in the following table:

     Code Key	Decode
     ldapGroupObjectClass	groupOfUniqueNames
     ldapGroupDNPrefix	cn
     Group Name	cn
     ldapGroupName	cn
     ldapOrgDNPrefix	ou
     ldapObjectClass	objectclass
     nsuniqueid	nsuniqueid

     
     

   • Select the role option if you want to create a group.

     The default settings to enable provisioning of Roles in organizational units in the AttrMap.iPlanetRole lookup definition are listed in the following table:

     Code Key	Decode
     ldapRoleObjectClass	ldapsubentry
     ldapRoleDNPrefix	cn
     Role Name	cn
     ldapRoleName	cn
     ldapOrgDNPrefix	ou
     ldapObjectClass	objectclass
     nsuniqueid	nsuniqueid

     
     

8. Click Continue, and then click Continue again on the Verification page.

9. Enter a name for the group or role.

10. From the IT server lookup field, select the IT resource.

11. Click Continue, and then click Continue again on the Verification page.

3.3 Adding New Attributes for Target Resource Reconciliation

By default, the attributes listed in the "Reconciled Resource Object Fields" section are mapped for reconciliation between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for reconciliation.

See Also:

Oracle Identity Manager Design Console for detailed instructions on performing the following procedure

To add a custom attribute for reconciliation:

1. While performing the procedure described in "Creating a Target System User Account for Connector Operations" section, you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class with which you want to perform reconciliation.

   4. Search for the attribute that you want to add and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_USR form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

   5. Save and close the form.

5. In the lookup definition for reconciliation, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the AttrName.Recon.Map.iPlanet lookup definition.

   3. In the lookup definition, create an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode Key: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

   4. In the lookup definition, add the custom object class (containing the attribute) to the existing value of the ldapUserObjectClass attribute. For example, if the new attribute is in the accountdetails object class, then the value of the ldapUserObjectClass attribute must be set to:

      <inetorgperson|accountdetails>
      

      In general, the format of the ldapUserObjectClass attribute value must be as follows:

      <inetorgperson|customObjectClass1|customObjectClass2| . . . customObjectClassn>
      

6. In the resource object, add a reconciliation field for the attribute as follows:

   1. Open the Resource Objects form.

   2. Search for the iPlanet User process.

   3. On the Reconciliation Fields subtab of the Object Reconciliation tab, create an entry for the attribute.

7. In the process definition, create a reconciliation field mapping for the attribute as follows:

   1. Open the Process Definition form.

   2. Search for the iPlanet User process.

   3. On the Reconciliation Field Mappings tab, create a reconciliation field mapping for the attribute.

3.4 Adding New Attributes for Group or Role Reconciliation

By default, the attributes listed in the "Reconciled Resource Object Fields" section are mapped for reconciliation between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for reconciliation.

See Also:

Oracle Identity Manager Design Console for detailed instructions on performing the following procedure

To add a custom attribute for reconciliation:

1. While performing the procedure described in "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class with which you want to perform reconciliation.

   4. Search for the attribute that you want to add and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Do one of the following:

      Search for and open the UD_IPNT_GR form for Group Recon.

      Search for and open the UD_IPNT_RL form for Role Recon.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

   5. Save and close the form.

5. In the lookup definition for reconciliation, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Do one of the following:

      Search for and open the Lookup.iPlanetGroupReconciliation.FieldMap lookup definition for Group Recon.

      Search for and open the Lookup.iPlanetRoleReconciliation.FieldMap lookup definition for Role Recon.

   3. In the lookup definition, create an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode Key: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

6. In the resource object, add a reconciliation field for the attribute as follows:

   1. Open the Resource Objects form.

   2. Do one of the following:

      Search for the iPlanet Group process.

      Search for the iPlanet Role process.

   3. On the Reconciliation Fields subtab of the Object Reconciliation tab, create an entry for the attribute.

7. In the process definition, create a reconciliation field mapping for the attribute as follows:

   1. Open the Process Definition form.

   2. Do one of the following:

      Search for the iPlanet Group process.

      Search for the iPlanet Role process.

   3. On the Reconciliation Field Mappings tab, create a reconciliation field mapping for the attribute.

3.5 Adding New Attributes for Trusted Source Reconciliation

Note:

• You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

• If you want to add a multivalued attribute for target resource reconciliation, then see "Adding New Multivalued Attributes for Target Resource Reconciliation".

By default, the attributes listed in the "Reconciled Xellerate User (OIM User) Fields" section are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for trusted resource reconciliation.

To add a new attribute for trusted source reconciliation:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. Add the new attribute on the OIM User process form as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Search for and open the Users process form.

   4. Click Add.

   5. Enter the details of the attribute.

      For example, if you are adding the Title attribute, then enter Employee ID in the Name field, set the data type to String, enter Title as the column name, and enter a field size value.

   6. Click Save.

3. Add the new attribute to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the Xellerate User resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. Enter the details of the attribute.

      For example, enter Title in the Field Name field and select String from the Field Type list.

      Later in this procedure, you will enter the attribute name as the Decode value of the entry that you create in the lookup definition for reconciliation.

   6. Click Save.

4. Create a reconciliation field mapping for the new attribute in the process definition as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the Xellerate User process definition.

   4. On the Reconciliation Field Mappings tab, click Add Field Map.

   5. In the Field Name field, select the value for the attribute that you want to add.

      For example, select Title = Title.

   6. Click Save.

5. Create an entry for the attribute in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the AttrName.Recon.Map.iPlanet lookup definition.

   4. Click Add and enter the Code Key and Decode values for the attribute. The Code Key value must be the name of the attribute on the target system, which you determined at the start of this procedure. The Decode value is the name that you provide for the reconciliation field in Step 3.e.

      For example, enter Title in the Code Key field and then enter title in the Decode field.

   5. Click Save.

   6. Select Field Type, and then click Save.

3.6 Adding New Multivalued Attributes for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the multivalued attributes Role and Group are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new multivalued attributes for target resource reconciliation.

To add a new multivalued attribute for target resource reconciliation:

1. Log in to the Oracle Identity Manager Design Console.

2. Create a form for the multivalued attribute as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Create a form by specifying a table name and description, and then click Save.

   4. Click Add and enter the details of the attribute.

   5. Click Save and then click Make Version Active.

3. Add the form created for the multivalued attribute as a child form of the process form as follows:

   1. Search for and open the UD_IPNT_USR process form.

   2. Click Create New Version.

   3. Click the Child Table(s) tab.

   4. Click Assign.

   5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.

   6. Click Save and then click Make Version Active.

4. Add the new attribute to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the IPlanet User resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. In the Add Reconciliation Fields dialog box, enter the details of the attribute.

      For example, enter carLicense in the Field Name field and select Multi Valued Attribute from the Field Type list.

   6. Click Save and then close the dialog box.

   7. Right-click the newly created attribute.

   8. Select Define Property Fields.

   9. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.

      For example, enter Mailing Address in the Field Name field and select String from the Field Type list.

   10. Click Save, and then close the dialog box.

5. Create a reconciliation field mapping for the new attribute as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the iPlanet User process definition.

   4. On the Reconciliation Field Mappings tab of the iPlanet User process definition, click Add Table Map.

   5. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.

   6. Right-click the newly created field, and select Define Property Field Map.

   7. In the Field Name field, select the value for the field that you want to add.

   8. Double-click the Process Data Field field, and then select UD_ADDRESS.

   9. Select Key Field for Reconciliation Field Matching and click Save.

6. Create an entry for the attribute in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the AttrName.Recon.Map.iPlanet lookup definition.

   4. In the Decode column for the ldapMultiValAttr Code Key, enter the field name and code key separated by a semicolon. Field Name and Code Key pairs are separated by vertical bars.

      For example, if Mailing Address is the attribute name, then append the following to the entry in the Decode column of the ldapMultiValAttr Code Key:

      |Mailing Address;Mailing Address
      

      As shown in this example, the vertical bar is used to separate field name and Code Key pairs and a semicolon is used to separate the Field Name and Code Key.

   5. Click Add, enter the Code Key and Decode values for the attribute, and then click Save. The Code Key value must be the name of the attribute on the process form. The Decode value must be the name of the attribute on the target system.

      For example, enter PostalAddress in the Code Key column and then enter postaladdress in the Decode field.

3.7 Adding New Attributes for Provisioning

By default, the attributes listed in the "Provisioning Module" section of the connector guide are mapped for provisioning between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for provisioning.

See Also:

Oracle Identity Manager Design Console for detailed instructions on performing the following procedure

To add a new attribute for provisioning:

1. While performing the procedure described in "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context in which created the user account for connector operations.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class on which you want to perform provisioning operations.

   4. Search for the attribute that you want to add, and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Search for and open the UD_IPNT_USR form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

   5. Save and close the form.

5. In the lookup definition for provisioning, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Search for and open the Attrname.Prov.Map.iPlanet lookup definition.

   3. In the lookup definition, add an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode Key: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

   4. In the lookup definition, add the custom object class (containing the attribute) to the existing value of the ldapUserObjectClass attribute. For example, if the new attribute is in the accountdetails object class, then the value of the ldapUserObjectClass attribute must be set to:

      <inetorgperson|accountdetails>
      

      In general, the format of the ldapUserObjectClass attribute value must be as follows:

      <inetorgperson|customObjectClass1|customObjectClass2| . . . customObjectClassn>
      

6. To test whether or not you can use the newly added attribute for provisioning, log in to the Oracle Identity Manager Administrative and User Console and perform a provisioning operation in which you specify a value for the newly added attribute.

Enabling Update of New Multivalued Attributes for Provisioning

After you add a multivalued attribute for provisioning, you must enable update operations on the attribute. If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.

To enable the update of a new multivalued attribute for provisioning:

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management.

3. Double-click Process Definition and open the iPlanet User process definition.

4. In the process definition, add a task for setting a value for the attribute:

   1. Click Add, enter the name of the task for adding multivalued attributes, and enter the task description.

   2. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

      • Select the child table from the list.

        For the example described earlier, select Mailing Address from the list.

      • Select Insert as the trigger type for adding multivalued data. Alternatively, select Delete as the trigger type for removing multivalues data.

   3. On the Integration tab, click Add, and then click Adapter.

   4. Select the adpIPLANETADDMULTIVALUEATTRIBUTE adapter, click Save, and then click OK in the message.

   5. To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

      Note:

      Some of the values in this table are specific to the Mailing Address/Postal Address example. These values must be replaced with values relevant to the multivalued attributes that you require.

      Variable Name	Data Type	Map To	Qualifier	IT Asset Type	IT Asset Property
      Adapter return value	Object	Response Code	NA	NA	NA
      AdminID	String	IT Resources	Server	LDAP Server	Admin Id
      AdminPwd	String	IT Resources	Server	LDAP Server	Admin Password
      processIntKey	String	Process Data	Process Instance	NA	NA
      rootContext	String	IT Resources	Server	LDAP Server	Root DN
      SSLFlag	String	IT Resources	Server	LDAP Server	SSL
      PropertyName	String	Literal	String	postaladdress Note: This is a sample value.	NA
      AttrLookupCode	String	IT Resources	Server	LDAP Server	Prov Attribute Lookup Code
      LDAPServer	String	IT Resources	Server	LDAP Server	Server Address
      Port	String	IT Resources	Server	LDAP Server	Port
      PropertyValue	String	Process Data and mailing address	Mailing address Note: This is a sample value.	NA	NA
      NsuniqueID	String	Process Data	NsuniqueID	NA	NA

      
      

   6. Click the Save icon and then close the dialog box.

5. In the process definition, add a task for removing the value of the attribute by performing Step 4. While performing Step 4.d, select the adpIPLANETREMOVEMULTIVALUEATTRIBUTE adapter.

3.8 Adding New Attributes for Provisioning of Group or Role

By default, the attributes listed in the "Provisioning Module" section of the connector guide are mapped for provisioning between Oracle Identity Manager and the target system. With this patch, if required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

1. While performing the procedure described in "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Directory tab, right-click the root context in which created the user account for connector operations.

   6. From the shortcut menu, click Set Access Permissions.

   7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

      The ACI that you create for the user account is displayed.

   8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

      In the following sample ACI, the passportnumber attroibute has been added to the ACI:

      (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
      

   9. Click OK.

2. Determine the target system name for the attribute that you want to add as follows:

   1. Log in to the target system.

   2. On the Configuration tab of the user interface, click Schema.

   3. Select the object class on which you want to perform provisioning operations.

   4. Search for the attribute that you want to add, and record the name of the attribute. Later in this procedure, you enter this name while creating a lookup definition entry for the attribute.

3. Log in to the Oracle Identity Manager Design Console.

4. Add the new attribute on the process form as follows:

   1. Open the Form Designer form.

   2. Do one of the following:

      Search for and open the UD_IPNT_GR form.

      Search for and open the UD_IPNT_RL form.

   3. Create a new version of the form.

   4. Add the new attribute on the form.

   5. Save the form.

   6. Make the version active, and close the form.

5. In the lookup definition for provisioning, create an entry for the new attribute as follows:

   1. Open the Lookup Definition form.

   2. Do one of the following:

      Search for and open the AtMap.iPlanetGroup lookup definition.

      Search for and open the AttrMap.iPlanetRole lookup definition.

   3. In the lookup definition, add an entry for the attribute that you want to add:

      • Code Key: Enter the name of the attribute that you add on the process form.

      • Decode Key: Enter the name of the attribute displayed on the target system, which you recorded earlier in this procedure.

6. To test whether or not you can use the newly added attribute for provisioning, log in to the Oracle Identity Manager Administrative and User Console and perform a provisioning operation in which you specify a value for the newly added attribute.

Enabling Update of New Attributes for Provisioning of Group or Role

After you add an attribute for provisioning Group or Role, you must enable update operations on the attribute. If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.

To enable the update of a new multivalued attribute for provisioning:

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management.

3. Do one of the following:

   • Double-click Process Definition and open the iPlanet Group process definition.

   • Double-click Process Definition and open the iPlanet Role process definition.

4. In the process definition, add a task for setting a value for the attribute:

   1. Click Add, enter the name of the task for adding multivalued attributes, and enter the task description.

   2. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

      • Select the child table from the list.

        For the example described earlier, select Mailing Address from the list.

   3. On the Integration tab, click Add, and then click Adapter.

   4. Do one of the following:

      • Select the adpUPDATEIPLANETGROUPATTRIBUTES adapter, click Save, and then click OK in the message.

      • Select the adpUPDATEIPLANETROLEATTRIBUTES adapter, click Save, and then click OK in the message.

   5. To map the adapter variables listed in this table, select the adapter, click Map, and then specify the data given in the following table:

      Variable Name	Data Type	Map To	Qualifier	IT Asset Type	IT Asset Property
      Adapter return value	Object	Response Code	NA	NA	NA
      AdminID	String	IT Resources	Server	LDAP Server	Admin Id
      AdminPwd	String	IT Resources	Server	LDAP Server	Admin Password
      processIntKey	String	Process Data	Process Instance	NA	NA
      rootContext	String	IT Resources	Server	LDAP Server	Root DN
      SSLFlag	String	IT Resources	Server	LDAP Server	SSL
      PropertyName	String	Literal	String	postaladdress Note: This is a sample value.	NA
      AttrLookupCode	String	IT Resources	Server	LDAP Server	Prov Attribute Lookup Code
      LDAPServer	String	IT Resources	Server	LDAP Server	Server Address
      Port	String	IT Resources	Server	LDAP Server	Port
      PropertyValue	String	Process Data and mailing address	Mailing address Note: This is a sample value.	NA	NA
      NsuniqueID	String	Process Data	NsuniqueID	NA	NA

      
      

   6. Click the Save icon and then close the dialog box.

Enabling Update of New Multivalued Attributes for Provisioning of Group or Role

After you add a multivalued attribute for provisioning Group or Role, you must enable update operations on the attribute.

To update a new multivalued attribute for provisioning of Groups or Roles, perform the steps mentioned in "Adding New Attributes for Provisioning" section.

3.9 Adding New Object Classes

To add a new object class, perform the following procedures:

Note:

You must add the mandatory attributes of each object class that you add.

1. Assigning Permissions for Using the Attribute

2. Adding the Attributes of the Object Class to the Process Form

3. Adding the Object Class and its Attributes to the Lookup Definition for Provisioning

4. Adding the Attributes of the Object Class to the Resource Object

5. Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation

6. Adding attributes of the Object Class to the Provisioning Process

3.9.1 Assigning Permissions for Using the Attribute

While performing the procedure described in "Creating a Target System User Account for Connector Operations", you create an ACI for the user account. You must add the attribute to the ACI as follows:

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Directory tab, right-click the root context in which you created the user account for connector operations.

6. From the shortcut menu, click Set Access Permissions.

7. In the Manage Access Control dialog box, select the name of the ACI that you create for the user account and then click Edit.

   The ACI that you create for the user account is displayed.

8. Add the attribute to the list of attributes displayed in the ACI. Use two vertical bars as the delimiter.

   In the following sample ACI, the passportnumber attroibute has been added to the ACI:

   (targetattr = "passportnumber || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "OIMUserACI";allow (read,write,delete,add)(userdn = "ldap:/// uid=OIMAdmin, ou=Org1, dc=corp,dc=oracle,dc=com ");) 
   

9. Click OK.

3.9.2 Adding the Attributes of the Object Class to the Process Form

To add the attributes of the object class to the process form:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Development Tools folder.

3. Double-click Form Designer.

4. Search for and open the UD_IPNT_USR process form.

5. Click Create New Version, and then click Add.

6. Enter the details of the attribute.

   For example, if you are adding the Associated Domain attribute, enter UD_IPNT_USR_ASSOCIATEDDOMAIN in the Name field and then enter the other details of this attribute.

7. Click Save, and then click Make Version Active.

3.9.3 Adding the Object Class and its Attributes to the Lookup Definition for Provisioning

To add the object class and its attributes to the lookup definition for provisioning:

1. Expand the Administration folder.

2. Double-click Lookup Definition.

3. Search for and open the AttrName.Prov.Map.iPlanet lookup definition.

4. Add the object class name to the Decode value of the ldapUserObjectClass Code Key.

   Note:

   In the Decode column, use the vertical bar (|) as a delimiter when you add the object class name to the existing list of object class names.

   For example, if you want to add MyObjectClass in the Decode column then enter the value as follows:

   inetorgperson|MyObjectClass
   

5. Click Add and then enter the Code Key and Decode values for an attribute of the object class. The Code Key value must be the name of the field on the process form and Decode value must be the name of the field on the target system.

   For example, enter Associated Domain in the Code Key field and then enter associatedDomain in the Decode field.

   Note:

   You must perform this step for all the mandatory attributes of the object class. You can also perform this step for the optional attributes.

6. Click Save.

3.9.4 Adding the Attributes of the Object Class to the Resource Object

To add the attributes of the object class to the resource object:

Note:

You must perform this step for all the mandatory attributes of the object class. You can also perform this step for the optional attributes.

1. Expand the Resource Management folder.

2. Double-click Resource Objects.

3. Search for and open the iPlanet User resource object.

4. For each attribute of the object class:

   1. On the Object Reconciliation tab, click Add Field.

   2. Enter the details of the field.

   For example, enter Associated Domain in the Field Name field and select String from the Field Type list.

5. Click the save icon.

3.9.5 Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation

To add the object class and its attributes to the lookup definition for reconciliation, perform all the instructions given in the "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning" section on the AttrName.Recon.Map.iPlanet lookup definition. In other words, while performing Step 3 of the "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning" section, search for and open the AttrName.Recon.Map.iPlanet lookup definition instead of the AttrName.Prov.Map.iPlanet lookup definition.

While performing Step 5 of the "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning" section, note that the Code Key value must be the name of the reconciliation field in the iPlanet User resource object and Decode value must be the name of the field on the target system. For example, enter Associated Domain in the Code Key field and then enter associatedDomain in the Decode field.

3.9.6 Adding attributes of the Object Class to the Provisioning Process

To add the attributes of the object class to the provisioning process:

Note:

You must perform this step for all the mandatory attributes of the object class. You can also perform this step for the optional attributes.

1. Expand the Process Management folder.

2. Double-click Process Definition.

3. Search for and open the iPlanet User provisioning process.

4. On the Reconciliation Field Mappings tab, click Add Field Map.

5. In the Field Name field, select the value for the field that you want to add.

   For example, select Associated Domain = UD_IPNT_USR_ASSOCIATEDDOMAIN

6. In the Field Type field, select the field type.

7. Click the save icon.

3.10 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of Sun Java System Directory.

You may want to configure the connector for multiple installations of Sun Java System Directory. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of Sun Java System Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Sun Java System Directory.

To meet the requirement posed by such a scenario, you must create and configure one IT resource for each installation of the target system.

The IT Resources form is in the Resource Management folder. The iPlanet User Resource IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.

See Also:

Oracle Identity Manager Design Console Guide for detailed instructions

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the target system installation to which you want to provision the user.

Similarly, to reconcile data from a particular target system installation, specify the name of the IT resource for that target system installation as the value of the ITResource scheduled task attribute.

3.11 Guidelines to Be Applied While Using the Connector

Apply the following guidelines to while using the connector:

• If you have configured Sun Java System Directory for target resource reconciliation, then while manually creating a user account in Sun Java System Directory through Oracle Identity Manager, you must ensure that the user ID in the process form is the same as the Oracle Identity Manager user login. Otherwise, reconciliation of the following operations would fail because these operations require direct API calls to update the information:

  • Enable status of user

  • Disable status of user

  • Organization update

• The user search is based on the user ID only.

• During provisioning, you cannot use non-English characters for the password of the user. This is because Sun Java System Directory does not support non-ASCII characters in the Password field.

• During provisioning, you cannot use non-ASCII characters for the user ID or e-mail address of the user. This is because, by default, Sun Java System Directory does not permit the entry of non-ASCII characters in the User ID and E-mail fields. If you want to enable the entry of non-ASCII characters in these fields, then you must disable the 7-bit check plug-in as follows:

  1. Open Sun ONE Directory Server.

  2. Click the Configuration tab.

  3. Expand Plugins.

  4. Select 7-bit check.

  5. Deselect the Enable plug-in check box.

  6. Click Save.

• Some Asian languages use multibyte character sets. Because the character limit for the fields in the target system is specified in bytes, the number of Asian-language characters that you can enter in a particular field is usually less than the number of English-language characters that you can enter in the same field. The following example illustrates this limitation:

  Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.