The chapter describes the following information about using the connector with Oracle Directory Server Enterprise Edition (ODSEE):
To provide secure communications to the ODSEE target system, configure SSL between Oracle Identity Manager, the Connector Server, and the ODSEE target system.
For more information, see Configuring SSL for the Connector.
This section discusses the lookup definitions that are created in Oracle Identity Manager when you deploy the connector for an ODSEE target system. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. These lookup definitions are as follows:
The Lookup.LDAP.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Table 4-1 lists the default entries in this lookup definition.
Table 4-1 Entries in the Lookup.LDAP.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
accountObjectClasses |
"top","person", "organizationalPerson","inetOrgPerson" |
This entry holds the list of object classes required for a USER object. |
|
accountSearchFilter |
objectClass=* |
This entry holds a search filter that any account needs to match in order to be returned. |
|
accountSynchronizationFilter |
objectClass=* |
This entry holds a filter for all of the entries returned during the SyncOp operation that must match. |
|
ldapGroupFilterBehavior |
accept |
This entry specifies the behavior for an LDAP group filter. |
|
ldapGroupMembershipAttribute |
ismemberof |
This entry specifies the value for the LDAP group membership attribute. |
|
accountUserNameAttribute |
cn |
This entry holds attributes that contain the name of a USER object. |
|
attributesToSynchronize |
"cn","uid" |
This entry holds the list of attributes to return whenever a SyncOp is run. |
|
blockSize |
100 |
This entry holds the block size for simple paged results and VLV index searches. |
|
Bundle Name |
org.identityconnectors.ldap |
This entry holds the name of the connector bundle package. Do not modify this entry. |
|
Bundle Version |
1.0.6380 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
|
changelogBaseDN |
cn=changelog |
This entry holds the baseDN where the connector is to find the changelog attribute value. |
|
changeLogBlockSize |
100 |
This entry holds the block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation. |
|
changeNumberAttribute |
changeNumber |
This entry holds the attribute name used for changelog. |
|
Connector Name |
org.identityconnectors.ldap.LdapConnector |
This entry holds the name of the connector class. Do not modify this entry. |
|
disabledRoleName |
cn=nsmanageddisabledrole,dc=example,dc=com |
This entry holds the name of the role that must be present in the entry when an account is disabled and that the enabledBaseOnRole is set to |
|
enabledAttribute |
nsaccountlock |
This entry holds the name of the attribute that is required to enable or disable accounts. |
|
enabledValue |
false |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. |
|
disabledValue |
true |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled. |
|
enabledWhenNoAttribute |
true |
This entry defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry. |
|
enabledBasedOnRole |
false |
This entry specifies whether enabling or disabling a user must be controlled by a role instead of the enabledAttribute attribute. When you set the value of this entry to |
|
filterWithOrInsteadOfAnd |
false |
This entry specifies whether the changelog filter is built using an OR or AND filter. Enter An OR filter is in the following format:
An AND filter is of the following format:
|
|
Group Configuration Lookup |
Lookup.LDAP.Group.Configuration |
This entry holds the name of the lookup definition that contains group-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of groups. Do not modify this entry. |
|
groupMemberAttribute |
uniqueMember |
This entry holds the LDAP attribute that stores the member for non-POSIX static groups. |
|
groupObjectClasses (optional) |
"top","groupOfUniqueNames" |
This entry holds the list of object classes required for a GROUP object. Note. This entry is not available by default. You must add it if you want to customize the lookup definition. |
|
maintainLdapGroupMembership |
true |
This entry specifies whether the connector modifies group membership of renamed or deleted user entries. |
|
maintainPosixGroupMembership |
false |
This entry specifies whether the connector modifies group membership of renamed or deleted user entries. |
|
objectClassesToSynchronize |
"inetOrgPerson","groupOfNames","groupOfUniqueNames","nsRoleDefinition","organizationalUnit" |
This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes. |
|
OU Configuration Lookup |
Lookup.LDAP.OU.Configuration |
This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units. Do not modify this entry. |
|
passwordAttribute |
userPassword |
This entry holds the name of the attribute to which the predefined PASSWORD attribute is written to. |
|
readSchema |
true |
This entry specifies whether the schema must be read from the server. |
|
removeLogEntryObjectClassFromFilter |
true |
This entry specifies whether the changelog filter contains a condition on the changelog objectclass. |
|
respectResourcePasswordPolicyChangeAfterReset |
true |
Enter |
|
Role Configuration Lookup |
Lookup.LDAP.Role.Configuration |
This entry holds the name of the lookup definition that contains role-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of roles. Do not modify this entry. |
|
roleObjectClasses (optional) |
"top", "ldapsubentry","nsRoleDefinition", "nsSimpleRoleDefinition", "nsManagedRoleDefinition" |
This entry holds the list of object classes required for a ROLE object. Note. This entry is not available by default. You must add it if you want to customize the lookup definition. |
|
standardChangelog |
true |
This entry specifies how the connector accesses the changelog attribute. This entries applies mainly to an OUD target system. For other target systems, leave the value set to true. |
|
synchronizeWithModifyTimestamps |
false |
This property specifies whether the connector must use the modify timestamps attribute instead of the changelog attribute during a SyncOp operation. |
|
uidAttribute |
nsuniqueid |
This entry holds the LDAP attribute to which the predefined UID attribute must be mapped to. |
|
usePagedResultControl |
true |
This entry specifies whether simple paged search is preferred over VLV index search when both are available. |
|
User Configuration Lookup |
Lookup.LDAP.UM.Configuration |
This entry holds the name of the lookup definition that contains user-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of users. Do not modify this entry. |
|
vlvSortAttribute |
uid |
This entry holds the attribute used as the sort key for the VLV index. |
|
changelogUidAttribute |
targetuniqueid |
This entry holds the name of the attribute that contains the uniqueId of the modified entry in the changelog. |
|
readTimeout |
120000 milliseconds |
This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
|
connectTimeout |
120000 milliseconds |
This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
|
referrals |
ignore, follow, or throw |
This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default. |
The Lookup.LDAP.Configuration.Trusted lookup definition holds connector configuration entries that are used during trusted source.
Table 4-2 lists the default entries in this lookup definition.
Table 4-2 Entries in the Lookup.LDAP.Configuration.Trusted Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
accountObjectClasses |
"top","person", "organizationalPerson","inetOrgPerson" |
This entry holds the list of object classes required for a USER object. |
|
Bundle Name |
org.identityconnectors.ldap |
This entry holds the name of the connector bundle package. Do not modify this entry. |
|
Bundle Version |
1.0.6380 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
|
changeLogBlockSize |
100 |
This entry holds the block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation. |
|
changeNumberAttribute |
changeNumber |
This entry holds the attribute name used for changelog. |
|
Connector Name |
org.identityconnectors.ldap.LdapConnector |
This entry holds the name of the connector class. Do not modify this entry. |
|
objectClassesToSynchronize |
"inetOrgPerson","groupOfNames","organizationalUnit" |
This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes. |
|
uidAttribute |
nsuniqueid |
This entry holds the LDAP attribute to which the Uid must be mapped to. |
|
Any Incremental Recon Attribute Type |
true |
Indicates that any format of token is accepted during reconciliation. |
|
disabledValue |
true |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled. |
|
enabledAttribute |
nsaccountlock |
This entry holds the name of the attribute that is required to enable or disable accounts. |
|
enabledValue |
false |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. |
|
enabledWhenNoAttribute |
true |
This entry defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry. |
|
usePagedResultControl |
true |
This entry specifies whether simple paged search is preferred over VLV index search when both are available. |
|
readTimeout |
120000 milliseconds |
This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
|
connectTimeout |
120000 milliseconds |
This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
|
referrals |
ignore, follow, or throw |
This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default. |
|
User Configuration Lookup |
Lookup.LDAP.UM.Configuration.Trusted |
This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry. |
This section discusses the following lookup definitions for user operations:
The Lookup.LDAP.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.
Table 4-3 lists the default entries in this lookup definition.
Table 4-3 Entries in the Lookup.LDAP.UM.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.LDAP.UM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.UM.ProvAttrMap for more information about this lookup definition. |
|
Recon Attribute Map |
Lookup.LDAP.UM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.UM.ReconAttrMap for more information about this lookup definition. |
|
Recon Transformation Lookup Note: This entry does not exist by default. You must add it if you want to enable transformation during reconciliation. |
Lookup.LDAP.UM.ReconTransformation |
This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition. |
|
Recon Validation Lookup Note: This entry does not exist by default. You must add it if you want to enable validation during reconciliation. |
Lookup.LDAP.UM.ReconValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
|
Provisioning Validation Lookup Note: This entry does not exist by default. You must add it if you want to enable validation during provisioning. |
Lookup.LDAP.UM.ProvValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
The Lookup.LDAP.UM.Configuration.Trusted lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during trusted source user reconciliation runs.
Table 4-4 lists the default entries in this lookup definition.
Table 4-4 Entries in the Lookup.LDAP.UM.Configuration.Trusted Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Recon Attribute Defaults |
Lookup.LDAP.UM.TrustedDefaults |
This entry holds the name of the lookup definition that maps reconciliation fields to their default values. See Lookup.LDAP.UM.TrustedDefaults for more information. |
|
Recon Attribute Map |
Lookup.LDAP.UM.ReconAttrMap.Trusted |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.UM.ReconAttrMap for more information about this lookup definition. |
The Lookup.LDAP.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured.
For the default user fields that you can specify or modify values during provisioning operations, see User Fields for Provisioning an ODSEE Target System.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.
The Lookup.LDAP.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured.
For the default user fields that you can specify or modify values during reconciliation operations, see User Fields for Target Resource Reconciliation.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.
The Lookup.LDAP.UM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.
The Lookup.LDAP.UM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition.
The Lookup.LDAP.UM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.
The Lookup.LDAP.UM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during trusted source user reconciliation runs.
This lookup definition is preconfigured. Table 1-5 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.
The Lookup.LDAP.UM.TrustedDefaults lookup definition holds mappings between reconciliation fields and their default values. This lookup definition is used when there is a mandatory field on the OIM User form, but no corresponding field in the target system from which values can be fetched during trusted source reconciliation.
You can add entries to this lookup definition by ensuring that the Code Key and Decode values are in the following format:
Code Key: Name of the reconciliation field of the resource object
Decode: Corresponding default value to be displayed
For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field.
Therefore, the Decode value of the Employee Type Code Key has been set to Full-Time. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.
This lookup definition is preconfigured. Table 4-5 lists the default entries.
Table 4-5 Entries in the Lookup.LDAP.UM.TrustedDefaults Lookup Definition
| Code Key | Decode |
|---|---|
|
Employee Type |
Full-Time |
|
Organization |
Xellerate Users |
|
User Type |
End-User |
This section discussed the following lookup definitions for group operations:
The Lookup.LDAP.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 4-6 lists the default entries in this lookup definition.
Table 4-6 Entries in the Lookup.LDAP.Group.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.LDAP.Group.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Group.ProvAttrMap for more information about this lookup definition. |
|
Recon Attribute Map |
Lookup.LDAP.Group.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Role.ProvAttrMap for more information about this lookup definition. |
The Lookup.LDAP.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations.
This lookup definition is preconfigured. Table 1-25 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding Custom Fields for Provisioning for more information.
The Lookup.LDAP.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is used during reconciliation.
This lookup definition is preconfigured. Table 1-8 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
This section discusses the following lookup definitions for organizational unit operations:
The Lookup.LDAP.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.
Table 4-7 lists the default entry in this lookup definition.
Table 4-7 Entries in the Lookup.LDAP.OU.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.LDAP.OU.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.OU.ProvAttrMap for more information about this lookup definition. |
|
Recon Attribute Map |
Lookup.LDAP.OU.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.OU.ReconAttrMap for more information about this lookup definition. |
The Lookup.LDAP.OU.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during provisioning.
This lookup definition is preconfigured. Table 1-30 lists the default entries.
You can add entries in this lookup definition if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.
The Lookup.LDAP.OU.ReconAttrMap lookup definition holds mappings between resource object fields for organizational units (OUs) and target system attributes. This lookup definitions is used during reconciliation.
This lookup definition is preconfigured. Table 1-13 lists the default entries.
You can add entries in this lookup definition if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.
This section discusses the following lookup definitions for role operations:
The Lookup.LDAP.Role.Configuration lookup definition holds configuration entries that are specific to the role object type. This lookup definition is used during role management operations when your target system is configured as a target resource.
Table 4-8 Entries in the Lookup.LDAP.Role.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.LDAP.Role.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Role.ProvAttrMap for more information about this lookup definition. |
|
Recon Attribute Map |
Lookup.LDAP.Role.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Role.ReconAttrMap for more information about this lookup definition. |
The Lookup.LDAP.Role.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during role provisioning operations. This lookup definition is preconfigured.
Table 1-28 lists the default entries in this lookup definition.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding Custom Fields for Provisioning for more information.
The Lookup.LDAP.Role.ReconAttrMap lookup definition holds mappings between resource object fields for roles and target system attributes. This lookup definitions is used during reconciliation.
This lookup definition is preconfigured.Table 1-11 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Adding New Fields for Trusted Source Reconciliation for more information.
Note:
Before you perform the following optional task, make sure you have created the corresponding organizations with the same names from the target system in Oracle Identity Manager.
To reconcile users from an ODSEE target system under their corresponding organizations in Oracle Identity Manager: