Selecting and Mapping User Attributes

After you have created and configured your Directory Server and Windows directory sources, you must decide which user attributes you want to synchronize and then map those attributes between systems.

The information in this section is organized as follows:

Selecting and Mapping Attributes
Creating Parameterized Default Attribute Values
Changing the Schema Source

Selecting and Mapping Attributes

There are two types of attributes:

Significant: Attributes that are synchronized between systems when you create or modify user entries.
Creation: Attributes that are synchronized between systems only when you create user entries.

Some creation attributes are mandatory based on the schema used for each platform. These attributes are required for password synchronization and they must be mapped to Directory Server attributes to successfully create a user object class entry on the Active Directory server.

This section explains how to select user attributes for synchronization and how to map these attributes (one-to-one) so that when you specify an attribute for Directory Server the equivalent attribute will display in your Active Directory and/or Windows NT environment (and vice versa), and the companion Windows attributes will have their values synchronized.

To Select and Map Attributes for Synchronization

Select the Identity Synchronization for Windows node at the top of the navigation tree.
Figure 4-28 Attributes Tab

Note - When the Group Synchronization feature has been enabled, the uniquemember (Directory Server) attribute and member attribute (Active Directory) are internally mapped and would be indicated as shown in the console.
Select the Attributes tab and then click the New button.
The Define Significant Attribute Mappings dialog box is displayed. Use this dialog box to map attributes from Directory Server to your Windows Systems (Active Directory and/or Windows NT).

Figure 4-29 Defining Significant Attribute Mappings

Note - Which creation attributes are mandatory for Directory Server (or for Active Directory) will depend on the objectclass configured for your Sun-side (or Active Directory-side) user entries.
The program automatically uses inetOrgPerson as the default objectclass for Directory Server, and you loaded the Active Directory schema when you specified the global catalog. So you do not use the Load Schema buttons unless you want to change the default schema.
If you want to change the default schema source, see Changing the Schema Source
Select an attribute from the Sun Java System attribute drop-down list (for examplecn), and then select the equivalent attribute from the Active Directory attribute and/or Windows NT SAM attribute drop-down menus.
When you are finished, click OK.
To designate additional attributes, repeat steps 2 through step 4.
A finished Synchronized Attributes table might look something like the following example, which shows the userpassword, cn, and telephonenumber Directory Server attributes mapped to unicodepwd, cn, and telephonenumber Active Directory attributes.

Figure 4-30 Completed Synchronized Attributes Table

Creating Parameterized Default Attribute Values

Identity Synchronization for Windows allows you to create parameterized default values for attributes using other creation or significant attributes.

To create a parameterized default attribute value, you embed an existing creation or significant attribute name— preceded and followed by percent symbols (% attribute_name %) — in an expression string. For example, homedir=/home/%uid% or cn=%givenName% %sn%.

When you create these attribute values:

You can use multiple attributes in a creation expression (cn=%givenName% %sn%).
If A=0, then B can have one default value only.
You can use the backslash symbol (\\) for quoting (for example, diskUsage=0\\%).
Do not use expressions that have cyclic substitution conditions (for example, if you specify description=%uid%, you cannot use uid=%description%.)

Note - When Group Synchronization is enabled, the following are important:

The creation expression supported at Active Directory is cn=%cn%.
The creation expression must contain valid attribute names belonging to the group objectclass also since the creation expression is common to both user as well as the group.

For example: The attribute sn is not part of the groupofuniquenames objectclass at the Directory Server. Hence the following creation expression would be invalid for a group object. (Though it would work fine for user.)

cn=%cn%.%sn%
The attribute used in the creation expression must be provided with a value for every user/group entry created. The value maybe provided using the command line interface, if the console does not have the provision.

Changing the Schema Source

The program automatically provides default schema sources, but allows you to change the default schema.

To Change the Default Schema Source

Click the Load Schema button on the Define Significant Attribute Mappings dialog box.
The Select Schema Sources panel is displayed.

Figure 4-31 Selecting Schema Sources
Use this panel to specify from which Sun Java System Directory Server schema server you want to read the schema. This schema contains the object classes that are available on your system, and object classes define which attributes are available for users on your system.
The program adds your configuration directory to the Sun Java System Directory schema server field by default.
To select a different server, click the Choose button.
The Select a Sun Schema Host dialog box is displayed. This dialog box contains a list of the configuration directories that gather administrative information about your directory sources.
From this dialog box, you can:
- Create new configuration directories and add them to the list.
  
  Click New, and when the New Configuration Directory dialog box displays; specify a Host, Port, User DN, and Password. Click OK when you are done.
- Edit existing directories.
  
  Click Edit, and when the Edit Configuration Directory dialog box displays, you can change the Host, Port, User DN, and/or Password. Click OK when you are done.
- Remove directories from the list.
  
  Select a directory name from the list and then click the Remove button.
Select a server from the list and click OK when you are done. (Generally, one of your Sun synchronization host(s) is a good choice as a schema source.)
Click the Next button and the Select Structural and Auxiliary Object Classes panel is displayed.
Figure 4-32 Selecting Structural and Auxiliary Object Classes
Use this panel to specify the object classes to synchronize, as follows:
- Structural Object Class: Every entry that is created or synchronized from the selected Directory Server must have at least one structural object class.
- Auxiliary Object Classes: These object classes augment the selected structural class and provide additional attributes for synchronization.
  
  To specify structural and auxiliary object classes:
1. Select a structural object class from the drop-down list. ( Default is inetorgperson.)
2. Select one or more object classes from the Available Auxiliary Object Classes list pane, and then click Add to move your selection(s) to the Selected Auxiliary Object Classes list pane.
  The selected object class(es) determine which Directory Server source attributes will be available for selection as significant or creation attributes. The object class(es) also determine the mandatory creation attributes.
  To delete selections from the Selected Auxiliary Object Classes list, click the object class name and then click the Remove button.
3. When you are done, click Finish and the program loads the schema and selected object classes.

Skip Navigation Links
Exit Print View
	Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide