1 About the Connector
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager (OIM) with external, identity-aware applications. This guide discusses the connector that enables you to use IBM Lotus Notes and Domino either as a managed (target) resource or as an authoritative (trusted) source of identity data for OIM.
Note:
At some places in this guide, IBM Lotus Notes and Domino has been referred to as the target system.
In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into OIM. In addition, you can use OIM to perform provisioning operations on the target system.
In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into OIM.
Note:
It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.
This chapter contains the following sections:
1.1 Certified Components
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
Target systems |
IBM Lotus Notes/Domino 8, 8.5, 8.5.x, 9.0, 9.0.1 Note: You must install IBM Lotus Notes on the same computer as the connector. |
Connector Server |
11.1.2.1.0 |
Connector Server JDK |
For Oracle Identity Manager 11g Release 2 (11.1.2.0) and any later BP in this release track, use JDK 1.6 or later Note: Use compatible JDK version as per the Lotus Notes/Domino target's JDK supported version. |
External code |
See Using External Code Files for more information about these files. |
1.2 Usage Recommendations
Deploy and use one of these connector versions on the basis of the Oracle Identity Manager and target system versions.
-
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
-
If you are using an Oracle Identity Manager release 9.1.0.1 or later and earlier than Oracle Identity Manager 11g Release 1 (11.1.1.5.0), then use the 9.0.4.x version of this connector.
-
If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.0) or later, Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), then use the latest 11.1.1.x version of this connector.
-
-
Depending on the target system that you are using, you must deploy and use one of the following connectors:
-
If you are using the following target systems, then use the 9.0.4.x version of this connector:
Oracle Enterprise Linux 5.2
Solaris 8
-
If you are using the following target systems, then use the latest 11.1.1.x version of this connector:
-
Exadata V2, ExaLogic X2-2
-
Oracle Enterprise Linux later than 5.2+x86 (32-bit) and x64 (64-bit)
-
Solaris 11
-
-
1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Danish
-
English
-
French
-
German
-
Italian
-
Japanese
-
Korean
-
Portuguese (Brazilian)
-
Spanish
1.4 Connector Architecture
The Lotus Notes/Domino connector enables you to manage user accounts through Oracle Identity Manager.
Figure 1-1 shows the architecture of the connector for IBM Lotus Notes and Domino.
You can configure the connector to run in one of the following modes:
-
Identity Reconciliation
Identity reconciliation is also known as authoritative or trusted source reconciliation. In this form of reconciliation, OIM users are created or updated corresponding to the creation of, and updates to, users on the target system.
After an update, you must run trusted source reconciliation again so only that user is updated.
-
Account Management
Account management is also known as target resource management. This mode of the connector enables the following operations:
-
Provisioning
Provisioning involves creating or updating users on the target system through Oracle Identity Manager. When you allocate (or provision) a Lotus Notes resource to an OIM User, the operation results in the creation of an account on IBM Lotus Notes and Domino for that user. In the Oracle Identity Manager context, the term provisioning also covers updates made to the target system account through Oracle Identity Manager.
-
Target resource reconciliation
In target resource reconciliation, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources. A scheduled job is used for reconciliation.
-
Note:
See Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information.
1.5 Features of the Connector
The features of the connector include full and incremental reconciliation, limited reconciliation, support for adding new attributes for reconciliation and provisioning and so on.
1.5.1 Support for Both Target Resource and Trusted Source Reconciliation
You can use the connector to configure Oracle Internet Directory as either a target resource or trusted source of Oracle Identity Manager.
See Configuring Reconciliation for more information.
1.5.2 Support for Limited Reconciliation
For a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
See Performing Limited Reconciliation for more information.
1.5.3 Support for Both Full and Incremental Reconciliation
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled from the next run of the user reconciliation.
You can perform a full reconciliation run at any time. See Performing Full Reconciliation and Incremental Reconciliation for more information.
1.5.4 Support for Adding Attributes for Reconciliation and Provisioning
You can add to the standard set of attributes for reconciliation and provisioning. Extending the Functionality of the Connector describes the procedure.
1.6 Lookup Definitions Used During Reconciliation and Provisioning
Lookup definitions used during reconciliation and provisioning can be divided into the following categories:
1.6.1 Lookup Definitions Synchronized with the Target System
The Domino Connector Lookup Reconciliation scheduled job synchronizes the Lookup.Domino.Group lookup definition with the target system. The Lookup.Domino.Group lookup definition holds values for the Group lookup field on the process form.
Running this scheduled job populates the Lookup.Domino.Group lookup definition with group names fetched from the target system. For more information about the Domino Connector Lookup Reconciliation scheduled job, see Scheduled Job for Lookup Field Synchronization.
1.6.2 Other Lookup Definitions
Table 1-2 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. Some of these lookup definitions are pre-populated with values. You must manually enter values for other definitions after the connector has been deployed.
In these Lookups, the Code Key column stores the process form field labels and the Decode column stores the Domino Attribute name.
Table 1-2 Other Lookup Definitions
Lookup Definition | Description of Values | Method to Specify Values for the Lookup Definition |
---|---|---|
Combo.Domino.Security.Type |
This definition holds information about security types that you can select for a target system account created through OIM. Code Key and Decode values in this definition are:
These values are used in the License Type combo box. License Type determines which type of ID file is created, and affects encryption when sending or receiving mail and when encrypting data. |
This lookup definition is preconfigured. Do not add or modify entries in this lookup definition. |
Lookup.Domino.UM.Configuration |
This lookup definition holds information about the user attribute maps that you can select for a target system account created through OIM. The Code Key and Decode values in this definition are:
|
|
Lookup.Domino.UM.Configuration.Trusted |
This lookup definition holds information about the trusted configuration for the Domino User object. The Code Key and Decode values in this definition are:
|
|
Lookup.Configuration.Domino |
This lookup definition holds connector configuration entries that are used during reconciliation and provisioning. The Code Key and Decode values in this definition are:
This lookup definition uses the |
The entries in this lookup definition are preconfigured and should not require modification. To add entries, see Setting Up the Lookup.Configuration.Domino Lookup Definition for instructions. |
Lookup.Domino.NotesCertifiers |
This lookup definition holds information for the NotesCertifier object type. The Code Key and Decode value in this definition is: CODE: Shortname DECODE: ShortName You can configure Domino Connector Lookup Reconciliation to reconcile values into this lookup. |
|
Lookup.Configuration.Domino.Trusted |
This lookup definition is the main configuration lookup for trusted reconciliation. The Code Key and Decode values in this definition are:
This lookup definition should be referenced in ITResource, and configured as Trusted ITResource. |
The entries in this lookup definition are preconfigured and should not require modification. |
Lookup.Domino.UM.TrustedDefaults |
This lookup definition holds mapping for all trusted reconciliation default values. These default values are used when a value is not received from the target resource. The Code Key and Decode values in this definition are:
|
|
Lookup.Domino.UM.ReconAttrMap |
This lookup definition holds mapping for all reconciliation operations between resource object fields and the target system attributes. The Code Key and Decode values in this definition are:
|
This lookup definition is preconfigured. Table 1-3 describes the default entries in this lookup definition. You can add entries to this lookup definition if you want to map new target system attributes for reconciliation. For more information, see Adding Target System Attributes for Reconciliation. |
Lookup.Domino.UM.ReconAttrMap.Trusted |
This lookup definition holds mapping for all trusted reconciliation attributes. The Code Key and Decode values in this definition are:
|
This lookup definition is preconfigured. Table 1-3 describes the default entries in this lookup definition. You can add entries to this lookup definition if you want to map new target system attributes for reconciliation. For more information, see Adding Target System Attributes for Reconciliation. |
Lookup.Domino.UM.ProvAttrMap |
This lookup definition holds mapping for all provisioning operations between resource object fields and target system attributes. The Code Key and Decode values in this definition are:
|
This lookup definition is preconfigured. Table 1-3 lists the default entries in this lookup definition. You can add entries to this lookup definition if you want to map new target system attributes for provisioning. For more information, see Adding Target System Attributes for Provisioning. |
1.7 Connector Objects Used During Target Resource Provisioning and Reconciliation
This section describes the different connector objects that you use for target provisioning and reconciliation.
This information is organized into the following topics:
1.7.1 User Attributes
The Process Form contains fields for Domino attributes that are supported "out-of-the-box." You must map these process form fields to Lotus Notes/Domino attributes for both provisioning and reconciliation, as follows:
-
For provisioning, map the form fields to attributes in Lookup.Domino.UM.ProvAttrMap
-
For reconciliation, map the form fields to attributes in Lookup.Domino.UM.ReconAttrMap
In these Lookups, the Code Key column stores the process form field labels and the Decode column stores the Domino Attribute name.
Table 1-3 describes the form fields used for target resource provisioning and reconciliation.
Table 1-3 Process Form Fields Used for Target Provisioning and Reconciliation
Process Form Field Label | Field Type | Description |
---|---|---|
Certifier ID File Path |
TextField |
Fully qualified path to the Certifier ID file |
Certifier Org Hierarchy |
LookupField |
Canonical or abbreviated name of the certifier. For example, if the certifier is:
This value is provided in the Lookup.Domino.NotesCertifiers lookup. You can configure this lookup to reconcile values from a target resource by using the |
Certifier Password |
PasswordField |
Password for the specified Certifier ID file |
Comment |
TextField |
Comment |
End Date |
DateFieldDlg |
End date |
First Name |
TextField |
First name |
Forwarding Domain |
TextField |
Forwarding e-mail address |
Last Name |
TextField |
Last name |
License Type |
ComboBox |
Type of ID file used to encrypt incoming or outgoing email and to encrypt data |
Location |
TextField |
Location |
Mail File Name |
TextField |
Mail file name Note: A mail file is created only when you register a new user. Although, you can change the name in OIM, the file will not be renamed. |
Mail Internet Address |
TextField |
E-mail address |
Mail Quota Limit |
TextField |
Maximum amount of emails permitted |
Mail Quota Warning |
TextField |
Amount of mail is about to exceed or exceeds threshold |
Mail Replica Servers |
TextField |
List of replica mail servers |
Mail Server |
TextField |
Default mail server to use when creating users |
Middle Name |
TextField |
Middle name |
Organization Unit |
TextField |
Organization to which user belongs |
Password |
PasswordField |
Password |
Recertify |
CheckBox |
Recertify |
Server Name |
ITResourceLo |
Server name |
Short Name |
TextField |
Short name |
Universal Id |
DOField |
Universal ID |
CA Certifier |
Mention the hierarchical CA Certifier name here. Example: In this example, CA is the CA Certifier under org1 organization. |
CA Certifier |
RoamSubDir |
roamingsub directory name. Example: |
RoamSubDir |
MoveCertifer |
If you check this check box moving a user name in the name hierarchy. See Moving the User Name in the Name Hierarchy for more information. |
MoveCertifer |
Table 1-4 describes the mapping between the form fields and user attributes for target resource provisioning and reconciliation.
Table 1-4 Mapping Form Fields to User Attributes for Target Resource Provisioning and Reconciliation
Process Form Field | IBM Lotus Notes and Domino Attribute |
---|---|
Certifier ID File Path |
certifierIDFile |
Certifier Org Hierarchy[LOOKUP] |
CertifierOrgHierarchy |
Certifier Password |
credentials |
Comment |
Comment |
End Date |
GroupList |
First Name |
FirstName |
Forward Domain (for provisioning) Forwarding Domain (for reconciliation) |
forwardingAddress |
Full Name |
__NAME__="${First_Name} ${Middle_Name}${Last_Name}${Certifier_Org_Hierarchy}" |
Group List~Group[LOOKUP] (for reconciliation) UD_LNGRP~Group Name[LOOKUP] (for provisioning) |
GroupList |
IDFile Name[PROVIDEONPSWDCHANGE] |
idFile |
Last Name |
LastName |
License Type |
NorthAmerican |
Location |
Location |
Mail File (for reconciliation) |
MailFile |
Mail File Name (for provisioning) |
MailFile |
Mail Internet Address |
InternetAddress |
Mail Quota Limit |
MailQuotaSizeLimit |
Mail Quota Warning |
MailQuotaWarningThreshold |
Mail Replica Servers |
MailReplicaServers |
Mail Server |
MailServer |
Middle Name |
MiddleInitial |
Old Password |
_CURRENT_PASSWORD_ |
Organization Unit |
OrgUnit |
Password |
_PASSWORD_ |
Recertify |
Recertify |
Short Name |
ShortName |
Status (for reconciliation) |
_Enable_ |
Universal Id |
_UID_ |
1.7.2 Provisioning Functions
Provisioning functions are basically provisioning process tasks that use adapters to perform provisioning operations.
Table 1-5 lists the provisioning functions that are available with this connector.
Table 1-5 Provisioning Functions
Function | Adapter | Description |
---|---|---|
|
|
Use this function to create users. Parameters include:
|
|
|
Use this function to delete users. Parameters include:
|
|
|
Use this function to update the User field. Parameters include:
|
|
|
Use this function to update passwords. Parameters include:
|
|
|
Use this function to set a user's status to disabled. Parameters include:
|
|
|
Use this function to set a user's status to enabled. Parameters include:
|
1.7.3 Reconciliation Rule for Target Resource Reconciliation
Learn about the reconciliation rule for this connector and how to view it.
1.7.3.1 Target Resource Reconciliation Rule
The following is the process matching rule:
Rule name: Reconcile Lotus User
Rule element: (Last Name Equals Last Name) AND (First Name Equals First Name)
In the first rule component:
-
Last Name
to the left of theEquals
is theLastName
field on the OIM User form. -
LastName
to the right of theEquals
is theLastName
field of the target system.
In the second rule component:
-
First Name
to the left of theEquals
is theFirstName
field on the OIM User form. -
First Name
to the right of theEquals
is theFirstName
field of the target system.
1.7.4 Reconciliation Action Rules for Target Resource Reconciliation
Learn about the reconciliation action rules for this connector and how to view them.
1.7.4.1 Target Resource Reconciliation Action Rules
Table 1-6 lists the action rules for target resource reconciliation.
Table 1-6 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following sections in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about modifying or creating reconciliation action rules:
1.8 Connector Objects Used in the Trusted Source Mode
Trusted source reconciliation involves fetching data about newly created or modified accounts on the target system and using that data to create or update OIM Users.
This section discusses the following topics:
1.8.1 User Attributes for Trusted Source Reconciliation
The Lookup.Domino.UM.ReconAttrMap.Trusted lookup definition (see Table 1-2) maps resource object fields and target system attributes. The Code Key column stores the names of resource object fields. The Decode column:
Table 1-7 provides information about the form fields used for trusted source reconciliation.
Table 1-7 OIM User Fields Used for Trusted Source Reconciliation
Process Form Field | Field Type | Description |
---|---|---|
|
TextField |
E-mail address |
First Name |
TextField |
First name |
Last Name |
TextField |
Last name |
Middle Name |
TextField |
Middle name |
Status |
TextField |
Reconciliation status |
User Login |
TextField |
16-bit alphanumeric ID that uniquely identifies a user |
Table 1-8 lists the form field and user attribute mappings for trusted source reconciliation.
Table 1-8 Mapping Form Fields to User Attributes for Trusted Source Reconciliation
OIM User Form Field | IBM Lotus Notes and Domino Attribute |
---|---|
Status[TRUSTED] |
_ENABLE_ |
User Login |
ShortName |
First Name |
FirstName |
|
InternetAddress |
Middle Name |
MiddleInitial |
Last Name |
LastName |
1.8.2 Reconciliation Rule for Trusted Source Reconciliation
Learn about the reconciliation rule for trusted source reconciliation and how to view it.
1.8.2.1 Trusted Source Reconciliation Rule
The following is the process matching rule:
Rule name: Lotus Trusted User
Rule element: User Login equals User Login
1.8.3 Reconciliation Action Rules for Trusted Source Reconciliation
Learn about the reconciliation action rules for trusted source reconciliation and how to view them.
1.8.3.1 Trusted Source Reconciliation Action Rules
Table 1-9 lists the action rules for trusted source reconciliation.
Table 1-9 Action Rules for Trusted Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following sections in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about modifying or creating reconciliation action rules: