This chapter explains how to manage directory synchronization profiles. It contains these topics:
This section explains how to create, modify, and delete synchronization profiles by using Oracle Enterprise Manager Fusion Middleware Control. It contains these topics:
Note:
Users with non-administrator privileges can use Oracle Enterprise Manager Fusion Middleware Control to view information about existing synchronization profiles, but cannot create or edit profiles.This section explains how to create synchronization profiles using Oracle Enterprise Manager Fusion Middleware Control. When you create the profile, Oracle recommends using the Test Connection function to test the connection to the source host and using the Validate All Mapping Rules function to test your mapping rules. If you encounter error messages, you must fix the profile configuration or you will not be able to enable the profile and perform synchronization using the profile.
If you create a Synchronization Profile using any of the sample map files included with Oracle Directory Integration Platform, you may encounter various warning messages. The Synchronization Profile will function correctly despite the warnings and you can ignore the warning messages. To avoid the warning messages, edit the default settings of the map file included with Oracle Directory Integration Platform according to your specific environment, then create the profile.
Perform the following steps to create a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component where you want to create the synchronization profile.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears.
Click Create. The Create Synchronization Profile page appears with tabs for the various types of profile settings. The following sections describe the parameters on each tab in the Create Synchronization Profile page.
After you set values for the parameters, click OK on the Create Synchronization Profile page to create the profile. The profile will appear on the Manage Synchronization Profiles page.
The General tab contains the following parameters that configure the general settings for the profile:
Profile Name: Specify the name of the connector in ASCII characters only—non-ASCII characters are not supported in the Profile Name. The name you enter is used as the RDN component of the DN for this connector profile. For example, specifying a profile name MSAccess creates a connector profile named orclodipagentname=MSAccess,cn=subscriber profile, cn=changelog subscriber, cn=oracle internet directory.
Profile Status: Select whether or not to enable or disable the profile.
Use DIP-OID as?: The DIP-OID label refers to the Oracle Internet Directory that is one end-point for synchronization and provisioning. Select whether Oracle Internet Directory will be used as the source or destination directory. Selecting Source pulls changes from a connected target directory into Oracle Internet Directory. Selecting Destination pushes changes from Oracle Internet Directory into a connected target directory.
Note:
You cannot change the setting for the Use DIP-OID as? option after you select another tab (Mapping, Filtering, or Advanced) on the Create Synchronization Profile page. If you want to change the setting for the Use DIP-OID as? option, click Cancel and recreate the profile.Type: Select the type of connected directory from the list.
Note:
If you select non-standard LDAP type of profile, such as Database or Custom, the subsequent configuration parameters will vary. For example, if you select Custom from the Type list, you must identify the Java classname and the package, for example:com.comp.dip.integration.MyListenerHost: The host where the connected directory is running.
Port: The port where the connected directory is running.
SSL Settings: Specify whether to enable or disable SSL settings. If you enable SSL Settings, the root certificates of the target directory must be in the Oracle Directory Integration Platform keystore to successfully connect or test the connection to the target directory.
User Name: Specify the account to be used by the connector agent for accessing the connected directory. For example, if the connected directory is a database, then the account might be Scott. If the connected directory is another LDAP-compliant directory, then the account might be cn=Directory Manager.
Password: Specify the password the connector/agent is to use when accessing the connected directory.
Test Connection: Use the Test Connection function to test the connection to the source host.
The Mapping tab allows you to configure Domain and Attribute Mapping Rules, and Domain and Attribute Exclusion Lists for the profile.
Domain Mapping Rules are for the domain or container from which objects are synchronized into Oracle Internet Directory. The Domain Exclusion List identifies domains to be excluded during bootstrap and synchronization.
Attribute Mapping Rules are for attributes of the objects that are being managed. The Attribute Exclusion List identifies attributes to be excluded during bootstrap and synchronization.
To create a mapping rule or exclusion list, click Create for the type of mapping rule or exclusion list you want to create, enter values for the parameters, and then click OK at the top of the Create Synchronization Profile page.
Note:
Use the Validate All Mapping Rules button at the top of the Create Synchronization Profile page to test your mapping rules after you create them. If your mapping rules are not valid, you cannot use the profile.The following is a list and description of the Domain Mapping Rules parameters:
Source Container or Destination Container: If you are configuring an import profile, this parameter will be labeled Source Container. If you are configuring an export profile, this parameter will be labeled Destination Container. The parameter identifies the name of the source/destination container from/to which the objects are synchronized. Enter a value of NONLDAP if you a synchronizing with a non-LDAP source.
DIP-OID Container: The DIP-OID label refers to the Oracle Internet Directory that is one end-point for synchronization and provisioning. The name of the destination container into which the objects are synchronized. Enter a value of NONLDAP if you a synchronizing with a non-LDAP source.
Mapping Rule: The specific mapping rule that determines how entries from the source container are mapped to the destination container.
The following is a list and description of the Domain Exclusion List parameters:
Source Container to Exclude: This parameter appears if you are configuring an import profile. Identify the domains to be excluded during bootstrap and synchronization for by entering a value, for example, OU=myou,OU=test,DC=mycompany,DC=com, or by clicking Lookup and browsing to the domain, and then clicking OK in the Create Domain Exclusion Container dialog box.
DIP-OID Container to Exclude: This parameter appears if you are configuring an export profile. Identify the domains to be excluded during bootstrap and synchronization for by entering a value, for example, OU=myou,OU=test,DC=mycompany,DC=com, or by clicking Lookup and browsing to the domain, and then clicking OK in the Create Domain Exclusion Container dialog box.
The following is a list and description of the Attribute Mapping Rules parameters:
Source Object Class: Select the object class in the source directory. Do not select a value when synchronizing with a non-LDAP source.
Source Attributes: The source directory attributes to which you want to apply the mapping rule. When synchronizing with LDAP sources, select the Single Attributes option and enter the appropriate attributes in the Attributes field. When synchronizing with non-LDAP sources, select the Multiple Attributes option and enter the appropriate attributes in the Multivalue Attributes field.
Source Attribute Required: Enable or disable the source attribute requirement.
DIP-OID Object Class: Select the destination object type or class. Use the destination object class for LDAP targets.
DIP-OID Attribute: Select the destination attribute name to which you want to apply the mapping rule.
DIP-OID Attribute Type: Enter the type of the attribute in the destination directory.
Mapping Expression: Enter the transformation rule that derives the destination attribute value from the source attribute value.
The following is a list and description of the Attribute Exclusion List parameters:
ObjectClass: Select the objectclass that contains the attributes you want to add to the Attribute Exclusion List. After you select an objectclass, its attributes appear in the Multiple Address field.
Attributes: Select the attributes you want to add to the Attribute Exclusion List.
The Filtering tab contains the following parameters that configure the filter settings for the profile:
Source Matching Filter: Specify the attribute that uniquely identifies an entry in the connected directory or specify an LDAP search filter for the connected directory in the format searchfilter=ldap_search_filter.
Destination Matching Rule: Specify the attribute that uniquely identifies records in Oracle Internet Directory. This attribute is used as a key to synchronize Oracle Internet Directory with the connected directory.
Associated Profile: The Associated Profile filtering setting is used to avoid loop back changes in bi-directional synchronization where changes initiated from one directory return to the same directory. For import profiles, specify the export profile it is associated with in the Associated Profile field. For export profiles, specify the import profile used for synchronizing the data from that directory.
Note:
To disassociate a profile, set the Associated Profile setting to Select One.The Advanced tab contains the following parameters that configure the advanced settings for the profile:
Scheduling Interval (HH:MM:SS): Specify the number of hours, minutes, and seconds between synchronization attempts between a connected directory and Oracle Internet Directory.
Maximum Number of Retries: Specify the maximum number of times the synchronization is to be retried before synchronization stops. The default is 5. The first retry takes place one minute after the first failure. The second retry happens two minutes after the second failure, and subsequently the retry takes place n minutes after the n failure.
Log Level: Specify the logging level for debugging. Selecting the All level logs all information, including entries that are synchronized.
Last Change Number: Identifies the number of changes that synchronization has been performed for. When you create a synchronization profile, the Last Change Number parameter is locked—you cannot enter a value for it.
After you create a synchronization profile and attempt to edit it, an additional option named Edit and Persist is available for the Last Change Number parameter. You can edit the value for the Last Change Number parameter if you select (enable) the Edit and Persist option. Enabling the Edit and Persist option causes the Last Change Number to be persisted in the profile. Changes to the Last Change Number will not be persisted if the Edit and Persist option is not enabled.
WARNING:
Be aware that if you edit the value for the Last Change Number, setting an incorrect value can cause the profile to stop working or cause erroneous synchronization operations.
Additional Configuration Parameters: This section allows you to manage optional, advanced configuration parameters. To create an advanced configuration parameter, click Add and identify the parameter and its value. The following is a list and description of each advanced configuration parameter:
Update Search Count: Specifies the maximum number of iterations to perform on the connected directory during the synchronization process. The synchronization process stops after the specified number of search has been performed and resumes at the next scheduled interval.
Skip Error To Sync Next Change: Determines how Oracle Directory Integration Platform handles an error when processing a change during synchronization. By default, Skip Error To Sync Next Change is assigned a value of false, which means that Oracle Directory Integration Platform will continue processing a change until the error is resolved. If you assign a value of true to Skip Error To Sync Next Change, Oracle Directory Integration Platform will skip any changes that cause an error. All failures are recorded in the $ORACLE_HOME/ldap/odi/log/profile_name.aud audit log. If you set Skip Error To Sync Next Change to true, be sure to periodically review the audit log for failures.
Writer: Identifies the Writer used by the profile for synchronization. This is a read only value and is used only for information purposes.
Reader: Identifies the Reader used by the profile for synchronization. This is a read only value used only for information purposes.
Search Time Delta Size in seconds: Applicable only for eDirectory and OpenLDAP, it determines how many incremental changes are processed during each iteration in a synchronization cycle. The default value is a value of 500. The number of iterations performed during each synchronization cycle depend on the number of pending changes. For example, if the SearchDeltaSize parameter is assigned a value of 500 and there are 498 pending changes, synchronization will require a single iteration. However, if there are 501 pending changes, synchronization will require two iterations. In some cases, you will experience better synchronization efficiency if you assign a higher value to this parameter. However, be sure that the value you specify does not exceed the LDAP search limit of the connected directory server. Otherwise, you may receive an error during synchronization and some changes may not be processed.
Be sure to thoroughly analyze and test your deployment when modifying the SearchDeltaSize parameter, especially if you assign a value higher than 2,000.
Reconciler: Do not modify this parameter. It identifies the class used by the profile for reconciliation purposes. The parameter is applicable only for eDirectory and OpenLDAP. This is a read only value used only for information purposes.
Attribute Type: Applicable only for eDirectory and OpenLDAP, it indicates the type of the UniqueAttribute parameter. You assign to this parameter a value of Binary for Novell eDirectory or nonBinary for OpenLDAP. This parameter is used to obtain the corresponding Oracle Internet Directory attribute for the attribute that is defined in the mapping file.
Check All Entries: Applicable only for eDirectory and OpenLDAP, it determines how deleted entries in Novell eDirectory or OpenLDAP are synchronized with Oracle Internet Directory. If you assign a value of true to this parameter, the Oracle Directory Integration Platform identifies deleted entries by performing a linear comparison between the entries in Oracle Internet Directory and Novell eDirectory or OpenLDAP. If an entry does not exist in Novell eDirectory or OpenLDAP, the entry is deleted from Oracle Internet Directory. If you assign a value of false to this parameter, deleted entries are synchronized according to the difference between the number of entries in the connected directory and the number of entries in Oracle Internet Directory. If the number of deleted entries is 0 or less than 0, then there are no deleted entries to synchronize. However, if the number of deleted entries is greater than 0, then the Oracle Directory Integration Platform compares each entry in Oracle Internet Directory with Novell eDirectory or OpenLDAP to identify the deleted entries to synchronize. The Oracle Directory Integration Platform continues to compare entries until it locates the same number of deleted entries as the difference between the number of entries in the connected directory and the number of entries in Oracle Internet Directory. For better performance, you should assign a value of false to this parameter.
Reduce Filter Time In Seconds: Applicable only for eDirectory and OpenLDAP, it specifies the time difference between a computer that is running Oracle Internet Directory and a computer that is running Novell eDirectory. This parameter is necessary because synchronization between Oracle Internet Directory and Novell eDirectory will not function properly if the time on the Novell eDirectory computer is earlier than the time on the Oracle Internet Directory computer. You assign to this parameter a value in seconds that is equal to the time difference between the two computers. The default value is 0.
Unique Attribute: Applicable only for eDirectory and OpenLDAP, it identifies the unique attribute in Novell eDirectory or OpenLDAP that can be used to search for an entry. You assign to this parameter a value of GUID for Novell eDirectory or entryuuid for OpenLDAP.
To edit an existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to edit.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears displaying a list of the existing profiles.
Select the profile you want to edit from the list and click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
Edit the profile settings by referring to the "General", "Mapping", "Filtering", and "Advanced" sections in "Creating Synchronization Profiles" that describe each profile parameter.
Note:
You must edit the settings on the General tab before editing the settings on any other tab.Click OK on the Edit Synchronization Profile page to save the updated profile.
To enable or disable an existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to enable or disable.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears displaying a list of the existing profiles.
Select the profile you want to enable or disable from the list of existing profiles.
Click the Enable Profile button to enable the profile.
Click the Disable Profile button to enable the profile.
Use Oracle Enterprise Manager Fusion Middleware Control to delete a synchronization profile—never delete a synchronization profile directly from Oracle Internet Directory. If you use Oracle Internet Directory to delete a synchronization profile you will receive a PROFILE_ALREADY_REGISTERED message if you attempt to recreate the profile.
Perform the following steps to delete a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to delete.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears.
On the Manage Synchronization Server page, select profile you want to delete and click Delete. A window that prompts you to confirm deletion of the connector profile.
Click Yes to confirm that you want to delete the profile.
The Manage Synchronization Profiles utility, manageSyncProfiles, allows you to manage synchronization profiles. manageSyncProfiles is located in the ORACLE_HOME/bin directory.
Notes:
Best security practice is to provide a password only in response to a prompt from the command.
You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
This topic contains the following sections:
manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists |
update | testProfile | validateProfile | validateMapRules | register |
updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles |
getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath
PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile]
[-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...']
[-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL]
[-profileStatus] [-help]
Changes the state of the profile identified by -profile to ENABLE.
Changes the state of the profile identified by -profile to DISABLE.
Copies an existing profile profile to profile newProfile
Deletes an existing profile from Oracle Internet Directory.
Gets the profile details from Oracle Internet Directory.
Checks if the profile profile exists in Oracle Internet Directory.
Modifies the profile properties that are identified by command arguments.
Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile will successfully perform synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where WL_DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGEDSERVER_NAME represents the name of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed:
WL_DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log
Note:
The testProfile operation cannot schedule profiles that are in ENABLE state for testing.Validates the syntax of the values in the specified profile for correctness.
Validates the map rules provided.
Creates a new profile in Oracle Internet Directory.
Updates the last applied change number in the profile to latest.
Associates associateProfileName with profileName. This is helpful during bidirectional synchronization between directories. You can specify a profile as an associated profile of different profile to help prevent information backflow.
Dissociates an associated profile to profileName
Returns a list of all profiles whose orclodipassociatedprofile attribute is set to the profile you identify using -pf. For example, if you use getAllAssociatedProfiles with -pf test, getAllAssociatedProfiles returns a list of all profiles that have their orclodipassociatedprofile attribute set to test.
This is useful when you want to delete a profile. You can use it to get a list of all associations you must disassociate before you can delete the profile.
Returns the value of the orclodipassociatedprofile attribute for the profile you identify using -pf.
Displays all profiles registered in Oracle Internet Directory.
Oracle WebLogic Managed Server host where Oracle Directory Integration Platform is deployed.
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
Oracle WebLogic Server login ID
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must executemanageSyncProfiles from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.The full path to the keystore.
The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12
The name of the synchronization profile to use when performing the operation.
The name of the new profile which will be a copy of profile.
The name of the profile that will be associated with profile
The full path and file name of the profile properties file containing the properties.
See:
Appendix B, "Example Properties File for Synchronization Profiles" for an example of a profile properties file.A value is of the form prop1 val1 prop2 val2 ... where prop is the name of a profile property and val is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required. Refer to Appendix B, "Example Properties File for Synchronization Profiles" to see the names of the profile properties that can be identified using prop1, prop2, and so on.
Host where connected directory server is running.
Port at which connected directory server listens.
Connected directory server bind DN.
Note:
You will be prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must executemanageSyncProfiles from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.Synchronization mode to be used: import or export
Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, OID, and ExchangeServer2003.
SSL mode value used to connect connected directory server
Displays status for the profile. Used only with the list operation.
Provides command usage help.
manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D login_ID \
-f /opt/ldap/odip/iPlImport.profile
manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles get -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile -assopf myProfile1
manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile
manageSyncProfiles update -h myhost.mycompany.com -p 7005 \
-D login_ID -pf myProfile -f /opt/ldap/odip/iPlImport.profile
manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \
-D login_ID -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \
-conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \
-conDirType IPLANET
manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D login_ID \
-pf myProfile
manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D login_ID \
-pf myProfile -newpf yourProfile
manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D login_ID -profileStatus
During the synchronization process, the server constantly updates the orcllastappliedchangenumber synchronization status attribute. Oracle recommends that you do not change the synchronization status attributes. However, there may be cases when you need to update the orcllastappliedchangenumber attribute. For example, you may need to reapply some changes or skip synchronization of certain entries.
You can change the orcllastappliedchangenumber attribute using Oracle Enterprise Manager Fusion Middleware Control or the manageSyncProfiles command and the updatechgnum argument.
To change the orcllastappliedchangenumber attribute using Oracle Enterprise Manager Fusion Middleware Control, perform the steps in "Editing Synchronization Profiles", and set the Last Change Number setting on the Advanced tab.
To change the orcllastappliedchangenumber attribute using the manageSyncProfiles command and the updatechgnum argument, refer to "Managing Synchronization Profiles Using manageSyncProfiles".
To set a profile property value to null (that is, blank or empty) when manually editing a profile, use a null string, for example: ''. Using a comment (or hash character, #) on the property's line indicates only that the line will not be read, it does not set the property's value to null.