7 Using the Connector with Novell eDirectory
The chapter describes the following information about using the connector with Novell eDirectory:
7.1 Configuring Secure Communications
To provide secure communications to the eDirectory target system, configure SSL between Oracle Identity Manager, the Connector Server, and the eDirectory target system.
For more information, see Configuring SSL for the Connector
7.2 Provisioning an eDirectory Target System
This section describes the following information about provisioning an eDirectory target system:
7.2.1 User Fields for Provisioning an eDirectory Target System
The Lookup.EDIR.UM.ProvAttrMap lookup definition maps process form fields with eDirectory attributes. This lookup definition is used for performing user provisioning operations.
Table 7-1 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations.
Table 7-1 Entries in the Lookup.EDIR.UM.ProvAttrMap Lookup Definition
| Process Form Field | Target System Field |
|---|---|
|
Password |
__PASSWORD__ |
|
UD_EDIR_ROL~Role Name[LOOKUP] |
rbsAssignedRoles~rbsRole~__NAME__ |
|
UD_EDIR_ROL~Inheritable |
rbsAssignedRoles~rbsRole~inheritable |
|
Logon Script |
loginScript |
|
Timezone |
timezone |
|
Title |
title |
|
Department |
departmentNumber |
|
UD_EDIR_ROL~Scope[LOOKUP] |
rbsAssignedRoles~rbsRole~domainScope |
|
First Name |
givenName |
|
Communication Language |
preferredLanguage |
|
Profile[LOOKUP] profile |
profile |
|
Last Name |
sn |
|
Guid |
__NAME__="cn=${User_ID},${Container_DN}" |
|
User ID |
cn |
|
Container DN[IGNORE,LOOKUP] |
ContainerDN |
|
|
|
|
Location |
l |
|
Telephone |
telephoneNumber |
|
Reference ID |
__UID__ |
|
UD_EDIR_GRP~Group Name[LOOKUP] |
ldapGroups |
|
Middle Name |
initials |
7.2.2 Group Fields for Provisioning an eDirectory Target System
The Lookup.EDIR.Group.ProvAttrMap lookup definition maps process form fields with eDirectory attributes. This lookup definition is used for performing group provisioning operations.
Table 7-2 lists the group identity fields of the target system for which you can specify or modify values during provisioning operations.
Table 7-2 Entries in the Lookup.EDIR.Group.ProvAttrMap Lookup Definition
| Process Form Field | Target System Field |
|---|---|
|
Reference ID |
__UID__ |
|
Container DN[IGNORE,LOOKUP] |
ContainerDN |
|
Group Name |
cn |
|
Guid |
__NAME__="cn=${Group_Name},${Container_DN}" |
7.2.3 Role Fields for Provisioning an eDirectory Target System
The Lookup.EDIR.Role.ProvAttrMap lookup definition maps process form fields with eDirectory attributes. This lookup definition is used for performing role provisioning operations.
Note:
The scope attribute in the Role child form is pre-populated from the Lookup.EDIR.DefaultScope lookup definition. You must enter a default value manually in this lookup before you perform a provisioning or reconciliation operation. Only one value is required.
Table 7-3 lists the role identity fields of the target system for which you can specify or modify values during provisioning operations.
Table 7-3 Entries in the Lookup.EDIR.Role.ProvAttrMap Lookup Definition
| Process Form Field | Target System Field |
|---|---|
|
Role Container[IGNORE,LOOKUP] |
ContainerDN |
|
Reference ID |
__UID__ |
|
Guid |
__NAME__="cn=${Role_Name},${Role_Container}" |
|
Role Name |
cn |
7.2.4 Organizational Unit (OU) Fields for Provisioning an eDirectory Target System
The Lookup.EDIR.OU.ProvAttrMap lookup definition maps process form fields with eDirectory attributes. This lookup definition is used for performing organizational unit provisioning operations.
Table 7-4 lists the organizational unit fields of the target system for which you can specify or modify values during provisioning operations.
Table 7-4 Entries in the Lookup.EDIR.OU.ProvAttrMap Lookup Definition
| Process Form Field | Target System Field |
|---|---|
|
Organisation Name |
ou |
|
Reference ID |
__UID__ |
|
Guid |
__NAME__="ou=${Organisation_Name},${Container_DN}" |
|
Container DN[LOOKUP,IGNORE] |
ContainerDN |
7.3 Performing Reconciliation for an eDirectory Target System
This section describes the following information about reconciliation:
7.3.1 Trusted Reconciliation Fields for an eDirectory Target System
The Lookup.EDIR.UM.ReconAttrMap.Trusted lookup definition maps Oracle Identity Manager fields with eDirectory fields. This lookup definition is used for performing trusted reconciliation operations.
Table 7-4 lists the corresponding fields in the Lookup.EDIR.UM.ReconAttrMap.Trusted lookup definition.
Table 7-5 Entries in the Lookup.EDIR.UM.ReconAttrMap.Trusted Lookup Definition
| OIM Field | Target System Field |
|---|---|
|
Fax |
facsimileTelephoneNumber |
|
Pager |
pager |
|
Status[TRUSTED] |
__ENABLE__ |
|
First Name |
givenName |
|
Title |
title |
|
location |
l |
|
|
|
|
Street |
street |
|
Telephone |
telephoneNumber |
|
Department Number |
departmentNumber |
|
Postal Address |
postalAddress |
|
entryDN[IGNORE] |
entryDN |
|
User ID |
cn from entryDN |
|
Postal Code |
postalCode |
|
parentDN[IGNORE] |
__PARENTDN__ |
|
Last Name |
sn |
7.3.2 Reconciliation Rules for Target Resource Reconciliation
This section contains the following topics:
7.3.2.1 About Rules for Target Resource Reconciliation
The following is the process matching rule:
Rule name: eDirectory User Trusted
Rule element: (GUID Equals guid) OR (User Login Equals User ID)
In the first rule component:
-
GUID on the left of Equals is the unique ID of the user.
-
guid on the right of Equals is the user ID field of the user on the target system.
In the second rule component:
-
User Login is the User Login field on the OIM User form.
-
User ID is the user ID field of the target system.
7.3.2.2 Viewing the Reconciliation Rule for Target Resource Reconciliation
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Figure 7-1 Reconciliation Rule Builder Screen for Target Resource Reconciliation
Description of "Figure 7-1 Reconciliation Rule Builder Screen for Target Resource Reconciliation"
7.3.3 Reconciling eDirectory Users Under Their Corresponding Organizations in Oracle Identity Manager
Note:
Before you perform the following optional task, make sure you have created the corresponding organizations with the same names from the target system in Oracle Identity Manager.
To reconcile users from an eDirectory target system under their corresponding organizations in Oracle Identity Manager:
7.4 Preconfigured Lookup Definitions for an eDirectory Target System
This section describes the following preconfigured lookup definitions for an eDirectory target system:
7.4.1 Lookup.EDIR.Configuration
The Lookup.EDIR.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Table 7-6 lists the default entries in this lookup definition.
Table 7-6 Entries in the Lookup.EDIR.Configuration Lookup Definition
| Code | Decode | Description |
|---|---|---|
|
OU Configuration Lookup |
Lookup.EDIR.OU.Configuration |
This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units. Do not modify this entry |
|
Connector Name |
org.identityconnectors.ldap.LdapConnector |
This entry holds the name of the connector class. Do not modify this entry. |
|
User Configuration Lookup |
Lookup.EDIR.UM.Configuration |
This entry holds the name of the lookup definition that contains user-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of users. Do not modify this entry. |
|
uidInBinary |
TRUE |
This attribute symbolizes that the UID field type is binary. Binary values are stored in hexadecimal format in OIM. |
|
Bundle Name |
org.identityconnectors.ldap |
This entry holds the name of the connector bundle package. Do not modify this entry. |
|
enabledAttribute |
loginDisabled |
This entry holds the name of the attribute that is required to enable or disable accounts. |
|
activateMembershipAttributesAtUser |
TRUE |
Activates group membership attribute at user entry. For every group membership, user entry is modified with group membership attribute. |
|
accountObjectClasses |
"ndsLoginProperties","top","person","organizationalPerson","inetOrgPerson" |
This entry holds the list of object classes required for a USER object. |
|
uidAttribute |
guid |
This entry holds the LDAP attribute to which the predefined UID attribute must be mapped to. |
|
rBSRole Configuration Lookup |
Lookup.EDIR.Role.Configuration |
This entry holds the name of the lookup definition that contains role-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of roles. Do not modify this entry |
|
Bundle Version |
1.0.6380 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
|
groupMemberAttribute |
member |
This entry holds the list of object classes required for a GROUP object. |
|
Any Incremental Recon Attribute Type |
TRUE |
Indicates that any format of token is accepted during reconciliation. For Novell eDirectory, token type is String. |
|
enabledValue |
FALSE |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. |
|
ldapGroupMembershipAttribute |
groupMembership |
This field gets updated with the group reference in the user entry. Its updated only if activateGroupMembershipAttribute configuration is set to true. |
|
Group Configuration Lookup |
Lookup.EDIR.Group.Configuration |
This entry holds the name of the lookup definition that contains group-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of groups. Do not modify this entry. |
|
disabledValue |
TRUE |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled. |
|
secondaryGroupMemberAttributes |
equivalentToMe |
Other attributes in the group entry that have to be updated with user reference along with the primary membership attribute. |
|
readTimeout |
120000 milliseconds |
This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
|
connectTimeout |
120000 milliseconds |
This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
|
referrals |
ignore, follow, or throw |
This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default. |
7.4.2 Lookup.EDIR.CommLang
The Lookup.EDIR.CommLang lookup definition contains the supported user languages. Do not modify the entries in this lookup definition. Table 7-7 lists the default entries.
Table 7-7 Entries in the Lookup.EDIR.CommLang Lookup Definition
| Code Key | Decode |
|---|---|
|
TRADITIONAL CHINESE |
TRADITIONAL CHINESE |
|
GERMAN |
GERMAN |
|
BRAZILIAN PORTUGUESE |
BRAZILIAN PORTUGUESE |
|
JAPANESE |
JAPANESE |
|
ITALIAN |
ITALIAN |
|
KOREAN |
KOREAN |
|
SIMPLIFIED CHINESE |
SIMPLIFIED CHINESE |
|
ENGLISH |
ENGLISH |
|
FRENCH |
FRENCH |
|
SPANISH |
SPANISH |
7.4.3 Preconfigured Lookup Definitions for User Operations
This section describes the following lookup definitions for user operations:
7.4.3.1 Lookup.EDIR.UM.Configuration
The Lookup.EDIR.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.
Table 7-8 lists the default entries in this lookup definition.
Table 7-8 Entries in the Lookup.EDIR.UM.Configuration Lookup Definition
| Code | Decode |
|---|---|
|
Provisioning Attribute Map |
Lookup.EDIR.UM.ProvAttrMap |
|
Provisioning Exclusion List |
Lookup.EDIR.UM.ProvExclusions |
|
Provisioning Validation Lookup |
Lookup.EDIR.UM.ProvValidations |
|
Recon Attribute Defaults |
Lookup.EDIR.UM.ReconDefaults |
|
Recon Attribute Map |
Lookup.EDIR.UM.ReconAttrMap |
|
Recon Exclusion List |
Lookup.EDIR.UM.ReconExclusions |
|
Recon Transformation Lookup |
Lookup.EDIR.UM.ReconTramsformations |
|
Recon Validation Lookup |
Lookup.EDIR.UM.ReconValidations |
7.4.3.2 Lookup.EDIR.UM.ProvAttrMap
The Lookup.EDIR.UM.ProvAttrMap lookup definition maps process form fields with eDirectory attributes. This lookup definition is used for performing user provisioning operations.
See Table 7-1 for the entries in this lookup definition.
7.4.3.3 Lookup.EDIR.UM.ReconAttrMap
The Lookup.EDIR.UM.ReconAttrMap lookup definition maps user resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.
Table 7-9 lists the entries in this lookup definition.
Table 7-9 Entries in the Lookup.EDIR.UM.ReconAttrMap Lookup Definition
| Code | Decode |
|---|---|
|
Communication Language |
preferredLanguage |
|
Container DN[LOOKUP] |
__PARENTDN__ |
|
Department |
departmentNumber |
|
|
|
|
entryDN[IGNORE] |
entryDN |
|
First Name |
givenName |
|
Guid __UID__ |
|
|
Last Name |
sn |
|
Location |
l |
|
Logon Script |
loginScript |
|
Middle Initial |
initials |
|
parentDN[IGNORE] |
__PARENTDN__ |
|
Profile |
profile |
|
refid |
__UID__ |
|
Role~Inheritance |
rbsAssignedRoles~rbsRole~inheritable |
|
Role~Role Name[LOOKUP] |
rbsAssignedRoles~rbsRole~__NAME__ |
|
Role~Scope[LOOKUP] |
rbsAssignedRoles~rbsRole~domainScope |
|
Security Group~Group Name[LOOKUP] |
ldapGroups |
|
Status |
__ENABLE__ |
|
Telephone |
telephoneNumber |
|
TimeZone |
timezone |
|
Title |
title |
|
User ID |
entryDN Note: The decode value for the "User ID" code key must always be mapped to a target system attribute which contains a unique value. |
7.4.3.4 Other Lookup Definitions
Other lookup definitions used for an eDirectory target system include:
-
The Lookup.EDIR.UM.ProvValidation lookup allows you to have custom validations on any of provisioning attribute values.
The Lookup.EDIR.UM.ReconValidation lookup allows you to have validations on any of the reconciled values.
See Configuring Validation of Data During Reconciliation and Provisioning.
-
The Lookup.EDIR.UM.ProvExclusions lookup allows you to specify account properties that should not be managed by the connector during provisioning. This lookup can also contain rules for determining excluded accounts.
The Lookup.EDIR.UM.ReconExclusions lookup allows you to specify account properties that should not be managed by the connector during reconciliation. This lookup can also contain rules for determining the excluded accounts.
-
The Lookup.EDIR.UM.ReconDefaults lookup allows you to specify default values for any reconciliation field.
-
Lookup.EDIR.UM.ReconTransformation lookup allows you to specify custom transformations during reconciliation. See Configuring Transformation of Data During Reconciliation.
7.4.4 Preconfigured Lookup Definitions for Group Operations
This section discusses the following lookup definitions for group operations:
7.4.4.1 Lookup.EDIR.Group.Configuration
The Lookup.EDIR.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 7-10 Entries in the Lookup.EDIR.Group.Configuration Lookup Definition
| Code | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.EDIR.Group.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.EDIR.Group.ProvAttrMap. |
|
Recon Attribute Map |
Lookup.EDIR.Group.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.EDIR.Group.ReconAttrMap. |
7.4.4.2 Lookup.EDIR.Group.ProvAttrMap
The Lookup.EDIR.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations.
See Table 7-2 for the entries in this lookup definition.
7.4.4.3 Lookup.EDIR.Group.ReconAttrMap
The Lookup.EDIR.Group.ReconAttrMaplookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is used during reconciliation.
See Table 7-11 for the entries in this lookup definition.
Table 7-11 Entries in the Lookup.EDIR.Group.ReconAttrMap Lookup Definition
| Code | Decode |
|---|---|
|
GroupName |
cn |
|
Guid |
__UID__ |
|
Organization[LOOKUP] |
__PARENTDN__ |
7.4.5 Preconfigured Lookup Definitions for Role Operations
This section describes the following lookup definitions for role operations:
Note:
For eDirectory, the supported objectclass for roles is rBSRole.
7.4.5.1 Lookup.EDIR.Role.Configuration
The Lookup.EDIR.Role.Configuration lookup definition holds configuration entries that are specific to the role object type. This lookup definition is used during role management operations when your target system is configured as a target resource.
Table 7-12 Entries in the Lookup.EDIR.Role.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.EDIR.Role.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.EDIR.Role.ProvAttrMap. |
|
Recon Attribute Map |
Lookup.EDIR.Role.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.EDIR.Role.ReconAttrMap. |
7.4.5.2 Lookup.EDIR.Role.ProvAttrMap
The Lookup.EDIR.Role.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during role provisioning operations.
See Table 7-3 for the entries in this lookup definition.
7.4.5.3 Lookup.EDIR.Role.ReconAttrMap
The Lookup.EDIR.Role.ReconAttrMap lookup definition holds mappings between resource object fields for roles and target system attributes. This lookup definitions is used during reconciliation.
Table 7-13 lists the entries in this lookup definition.
Table 7-13 Entries in the Lookup.EDIR.Role.ReconAttrMap Lookup Definition
| Code | Decode |
|---|---|
|
Guid |
__UID__ |
|
Organization[LOOKUP] |
__PARENTDN__ |
|
RoleName |
cn |
7.4.6 Preconfigured Lookup Definitions for Organizational Unit Operations
This section describes the following lookup definitions for organizational unit operations:
7.4.6.1 Lookup.EDIR.OU.Configuration
The Lookup.EDIR.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.
Table 7-14 lists the default entries in this lookup definition.
Table 7-14 Entries in the Lookup.EDIR.OU.Configuration Lookup Definition
| Code | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.EDIR.OU.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.EDIR.OU.ProvAttrMap. |
|
Recon Attribute Map |
Lookup.EDIR.OU.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.EDIR.OU.ReconAttrMap. |
7.4.6.2 Lookup.EDIR.OU.ProvAttrMap
The Lookup.EDIR.OU.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during provisioning.
See Table 7-4 for the entries in this lookup definition.
7.4.6.3 Lookup.EDIR.OU.ReconAttrMap
The Lookup.EDIR.Role.ReconAttrMap lookup definition holds mappings between resource object fields for roles and target system attributes. This lookup definitions is used during reconciliation.
Table 7-13 lists the entries in this lookup definition.
Table 7-15 Entries in the Lookup.EDIR.OU.ReconAttrMap Lookup Definition
| Code | Decode |
|---|---|
|
Container |
__PARENTDN__ |
|
Guid |
__UID__ |
|
OrgName |
ou |
7.4.7 Preconfigured Lookup Definitions for Trusted Configuration Operations
The connector uses the following lookup definitions for trusted configuration operations:
7.4.7.1 Lookup.EDIR.Configuration.Trusted
Table 7-16 lists the entries in this lookup definition.
Table 7-16 Entries in the Lookup.EDIR.Configuration.Trusted Lookup Definition
| Code | Decode |
|---|---|
|
accountObjectClasses |
"top","person","organizationalPerson","inetOrgPerson" |
|
Any Incremental Recon Attribute Type |
true |
|
Bundle Name |
org.identityconnectors.ldap |
|
Bundle Version |
1.0.6380 |
|
Connector Name |
org.identityconnectors.ldap.LdapConnector |
|
disabledValue |
true |
|
enabledAttribute |
loginDisabled |
|
enabledValue |
false |
|
objectClassesToSynchronize |
"inetOrgPerson","groupOfNames","groupOfUniqueNames" |
|
uidAttribute |
GUID |
|
uidInBinary |
true |
|
User Configuration Lookup |
Lookup.EDIR.UM.Configuration.Trusted |
7.4.7.2 Lookup.EDIR.UM.Configuration.Trusted
Table 7-17 lists the entries in this lookup definition.
Table 7-17 Entries in the Lookup.EDIR.UM.Configuration.Trusted Lookup Definition
| Code | Decode |
|---|---|
|
Recon Attribute Defaults |
Lookup.EDIR.UM.ReconDefaults.Trusted |
|
Recon Attribute Map |
Lookup.EDIR.UM.ReconAttrMap.Trusted |
|
Recon Exclusion List |
Lookup.EDIR.UM.ExclusionList.Trusted |
|
Recon Transformation Lookup |
Lookup.EDIR.UM.ReconTransformations.Trusted |
|
Recon Validation Lookup |
Lookup.EDIR.UM.ReconValidations.Trusted |
7.4.7.3 Lookup.EDIR.UM.ExclusionList.Trusted
Table 7-18 lists the entry in this lookup definition.
Table 7-18 Entry in the Lookup.EDIR.UM.ExclusionList.Trusted Lookup Definition
| Code | Decode |
|---|---|
|
User ID |
root |
7.4.7.4 Lookup.EDIR.UM.ReconAttrMap.Trusted
Table 7-19 lists the entries in this lookup definition.
Table 7-19 Entries in the Lookup.EDIR.UM.ReconAttrMap.Trusted Lookup Definition
| Code Key | Decode |
|---|---|
|
Department Number |
departmentNumber |
|
|
|
|
entryDN[IGNORE] |
entryDN |
|
Fax |
facsimileTelephoneNumber |
|
First Name |
givenName |
|
GUID |
__UID__ |
|
Last Name |
sn |
|
location |
l |
|
Pager |
pager |
|
parentDN[IGNORE] |
__PARENTDN__ |
|
Postal Address |
postalAddress |
|
Postal Code |
postalCode |
|
Status[TRUSTED] |
__ENABLE__ |
|
Street |
street |
|
Telephone |
telephoneNumber |
|
Title |
title |
|
User ID |
entryDN Note: The decode value for the "User ID" code key must always be mapped to a target system attribute which contains a unique value. |
7.4.7.5 Lookup.EDIR.UM.ReconTransformations.Trusted
Table 7-20 lists the entry in this lookup definition.
Table 7-20 Entry in the Lookup.EDIR.UM.ReconTransformations.Trusted Lookup Definition
| Code | Decode |
|---|---|
|
User ID |
oracle.iam.connectors.edirectory.transformations.EdirectoryUserIdTransformation |
7.4.7.6 Lookup.EDIR.UM.ReconDefaults.Trusted
Table 7-21 lists the entries in this lookup definition.
Table 7-21 Entries in the Lookup.EDIR.UM.ReconDefaults.Trusted Lookup Definition
| Code | Decode |
|---|---|
|
Empl Type |
Full-Time |
|
Organization Name |
Xellerate Users |
|
Status |
Active |
|
User Type |
End-User |