This chapter describes the following information about using the connector with Oracle Internet Directory (OID):
To provide secure communications to the OID target system, configure SSL between Oracle Identity Manager, the Connector Server, and the OID target system.
For more information, see Configuring SSL for the Connector.
This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector for the OID target system. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:
Note:
Roles are not supported for an OID target system.
The Lookup.OID.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Table 6-1 lists the default entries in this lookup definition.
Table 6-1 Entries in the Lookup.OID.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
accountObjectClasses |
"top","person","organizationalPerson","inetOrgPerson","orclUserV2" |
This entry holds the list of object classes required for a USER object. |
accountSearchFilter |
objectClass=* |
This entry holds a search filter that any account needs to match in order to be returned. |
accountSynchronizationFilter |
objectClass=* |
This entry holds a filter for all of the entries returned during the SyncOp operation that must match. |
accountUserNameAttribute |
cn |
This entry holds attributes that contain the name of a USER object. |
attributesToSynchronize |
"cn","uid" |
This entry holds the list of attributes to return whenever a SyncOp is run. |
blockSize |
100 |
This entry holds the block size for simple paged results and VLV index searches. |
Bundle Name |
org.identityconnectors.ldap |
This entry holds the name of the connector bundle package. Do not modify this entry. |
Bundle Version |
1.0.6380 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
changelogBaseDN |
cn=changelog |
This entry holds the baseDN where the connector is to find the changelog attribute value. |
changeLogBlockSize |
100 |
This entry holds the block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation. |
changelogUidAttribute |
orclguid |
This entry holds the name of the attribute that contains the uniqueId of the modified entry in the changelog. |
changeNumberAttribute |
changeNumber |
This entry holds the attribute name used for changelog. |
Connector Name |
org.identityconnectors.ldap.LdapConnector |
This entry holds the name of the connector class. Do not modify this entry. |
disabledValue |
DISABLED |
This entry specifies the value to be used for the attribute defined by the enabledAttribute entry whenever an account is disabled. |
enabledAttribute |
orcllsEnabled |
This entry holds the name of the attribute that is required to enable or disable accounts. |
enabledWhenNoAttribute |
true |
This entry defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry. |
enabledValue |
ENABLED |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. |
filterWithOrInsteadOfAnd |
false |
This entry specifies whether the changelog filter is built using an OR or AND filter. Enter An OR filter is in the following the following format:
An AND filter is of the following format:
|
Group Configuration Lookup |
Lookup.OID.Group.Configuration |
This entry holds the name of the lookup definition that contains group-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of groups. Do not modify this entry. |
groupMemberAttribute |
uniqueMember |
This entry holds the LDAP attribute that stores the member for non-POSIX static groups. |
ldapGroupFilterBehavior |
reject |
This entry specifies the behavior for an LDAP group filter. |
ldapGroupMembershipAttribute |
ismemberof |
This entry specifies the value for the LDAP group membership attribute. |
maintainLdapGroupMembership |
true |
This entry specifies whether the connector modifies group membership of renamed or deleted user entries. |
maintainPosixGroupMembership |
false |
This entry specifies whether the connector modifies POSIX group membership of renamed or deleted user entries. |
objectClassesToSynchronize |
"inetOrgPerson","groupOfNames","groupOfUniqueNames","organizationalUnit" |
This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes. |
OU Configuration Lookup |
Lookup.OID.OU.Configuration |
This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units. Do not modify this entry. |
passwordAttribute |
userPassword |
This entry holds the name of the attribute to which the predefined PASSWORD attribute is written to. |
readSchema |
true |
This entry specifies whether the schema must be read from the server. |
removeLogEntryObjectClassFromFilter |
true |
This entry specifies whether the changelog filter contains a condition on the changelog objectclass. |
respectResourcePasswordPolicyChangeAfterReset |
true |
Enter |
standardChangelog |
true |
This entry specifies how the connector accesses the changelog attribute. |
synchronizeWithModifyTimestamps |
false |
This property specifies whether the connector must use the modify timestamps attribute instead of the changelog attribute during a SyncOp operation. |
uidAttribute |
orclguid |
This entry holds the LDAP attribute to which the predefined UID attribute must be mapped to. |
usePagedResultControl |
true |
This entry specifies whether simple paged search is preferred over VLV index search when both are available. |
User Configuration Lookup |
Lookup.OID.UM.Configuration |
This entry holds the name of the lookup definition that contains user-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of users. Do not modify this entry. |
vlvSortAttribute |
uid |
This entry holds the attribute used as the sort key for the VLV index. |
readTimeout |
120000 milliseconds |
This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
connectTimeout |
120000 milliseconds |
This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
referrals |
ignore, follow, or throw |
This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default. |
The Lookup.OID.Configuration.Trusted lookup definition holds connector configuration entries that are used during trusted source.
Table 6-2 lists the default entries in this lookup definition.
Table 6-2 Entries in the Lookup.OID.Configuration.Trusted Lookup Definition
Code Key | Decode | Description |
---|---|---|
accountObjectClasses |
"top","person","organizationalPerson","inetOrgPerson","orclUserV2" |
This entry holds the name of the account object classes. |
Any Incremental Recon Attribute Type |
true |
This entry indicates that any format of token is accepted during reconciliation. |
Bundle Name |
org.identityconnectors.ldap |
This entry holds the name of the connector bundle package. Do not modify this entry. |
Bundle Version |
1.0.6380 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
changeLogBlockSize |
100 |
This entry holds the block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation. |
changeNumberAttribute |
changeNumber |
This entry holds the attribute name used for changelog. |
Connector Name |
org.identityconnectors.ldap.LdapConnector |
This entry holds the name of the connector class. Do not modify this entry. |
disabledValue |
DISABLED |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled. |
enabledAttribute |
orcllsEnabled |
This entry holds the name of the attribute that is required to enable or disable accounts. |
enabledValue |
ENABLED |
This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. |
enabledWhenNoAttrbribute |
true |
This entry defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry. |
objectClassesToSynchronize |
"inetOrgPerson","groupOfNames","groupOfUniqueNames", "OrganizationalUnit" |
This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes. |
uidAttribute |
orclguid |
This entry holds the LDAP attribute to which the Uid must be mapped to. |
UsePagedResultControl |
true |
This entry specifies whether simple paged search is preferred over VLV index search when both are available. |
User Configuration Lookup |
Lookup.OID.UM.Configuration.Trusted |
This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry. |
readTimeout |
120000 milliseconds |
This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
connectTimeout |
120000 milliseconds |
This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default. |
referrals |
ignore, follow, or throw |
This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default. |
This section describes the following lookup definitions for user operations:
The Lookup.OID.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.
Table 6-3 lists the default entries in this lookup definition.
Table 6-3 Entries in the Lookup.OID.UM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.OID.UM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. |
Recon Attribute Map |
Lookup.OID.UM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. |
The Lookup.OID.UM.Configuration.Trusted lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during trusted source user reconciliation runs.
Table 6-4 lists the default entries in this lookup definition.
Table 6-4 Entries in the Lookup.OID.UM.Configuration.Trusted Lookup Definition
Code Key | Decode | Description |
---|---|---|
Recon Attribute Defaults |
Lookup.OID.UM.TrustedDefaults |
This entry holds the name of the lookup definition that maps reconciliation fields to their default values. |
Recon Attribute Map |
Lookup.OID.UM.ReconAttrMap.Trusted |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. |
The Lookup.OID.UM.ProvAttrMap lookup definition maps process form fields with OID attributes. This lookup definition is used for performing user provisioning operations.
Table 6-5 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations.
Table 6-5 Entries in the Lookup.OID.UM.ProvAttrMap Lookup Definition
Process Form Field | Target System Field |
---|---|
Common Name |
cn |
Container DN[IGNORE,LOOKUP] |
ContainerDN |
Department |
departmentnumber |
Email ID |
|
EndDate |
orclActiveEndDate=End_Date!=null&&!End_Date.startsWith("1969-12-31")?Date.parse('yyyy-MM-dd', End_Date).format('yyyyMMddHHmmss') + 'Z':null |
End Date[IGNORE] |
enddate |
First Name |
givenname |
Last Name |
sn |
Location |
l |
Login Disabled |
__ENABLED__ |
manager |
manager |
Middle Name |
initials |
Name |
__NAME__="uid=${User_ID},${Container_DN}" |
orclGuid |
__UID__ |
Password |
__PASSWORD__ |
Preferred Language |
preferredlanguage |
StartDate |
orclActiveStartDate=Start_Date!=null&&!Start_Date.startsWith("1969-12-31")?Date.parse('yyyy-MM-dd', Start_Date).format('yyyyMMddHHmmss') + 'Z':null |
Start Date[IGNORE] |
startdate |
Telephone |
telephonenumber |
Time Zone |
orclTimeZone |
Title |
title |
UD_OID_GRP |
ldapGroups |
User ID |
uid |
The Lookup.OID.UM.ReconAttrMap lookup definition maps user resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, entries are in the following format:
Code Key: Reconciliation field of the resource object
Decode: Name of the target system attribute
Table 6-6 lists the default entries in this lookup definition.
Table 6-6 Entries in the Lookup.OID.UM.ReconAttrMap Lookup Definition
Code Key | Decode |
---|---|
Common Name |
cn |
Container DN[LOOKUP] |
__parentDN__ |
Department |
departmentnumber |
|
|
End Date[Date] |
orclActiveEndDate=binding.variables.containsKey("orclActiveEndDate")&&orclActiveEndDate!=null?Date.parse('yyyyMMddHHmmss',orclActiveEndDate).getTime():null |
First Name |
givenname |
Last Name |
sn |
Location |
l |
manager |
manager |
Middle Name |
initials |
orclGuid |
__UID__ |
Preferred Language |
preferredlanguage |
Start Date[Date] |
orclActiveStartDate=binding.variables.containsKey("orclActiveStartDate")&&orclActiveStartDate!=null?Date.parse('yyyyMMddHHmmss',orclActiveStartDate).getTime():null |
Status |
__ENABLE__ |
Telephone |
telephonenumber |
TimeZone |
orclTimeZone |
Title |
title |
UserGroup~GroupName[LOOKUP] |
ldapGroups |
User ID |
uid |
The Lookup.OID.UM.ReconAttrMap.Trusted lookup definition maps user fields of the OIM User form with corresponding field names in the target system. This lookup definition is used for performing trusted source reconciliation runs.
Table 6-7 lists the default entries in this lookup definition.
Table 6-7 Entries in the Lookup.OID.UM.ReconAttrMap.Trusted Lookup Definition
OIM User Form Field | Target System Field |
---|---|
|
|
First Name |
givenname |
Last Name |
sn |
Manager |
manager=matcher=java.util.regex.Pattern.compile("uid=(\\w*).*").matcher(manager==null?"":manager);matcher.matches()?matcher[0][1]:null |
Middle Name |
initials |
OrclGuid |
__UID__ |
Status[TRUSTED] |
__ENABLE__ |
User Login |
uid |
The Lookup.OID.UM.TrustedDefaults lookup definition holds mappings between reconciliation fields and their default values. This lookup definition is used when thereis a mandatory field on the OIM User form, but no corresponding field in the target system from which values can be fetched during trusted source reconciliation.
You can add entries to this lookup definition by ensuring that the Code Key and Decode values are in the following format:
Code Key: Name of the reconciliation field of the resource object
Decode: Corresponding default value to be displayed
Table 6-8 lists the default entries in this lookup definition.
Table 6-8 Entries in the Lookup.OID.UM.TrustedDefaults Lookup Definition
Key Code | Decode |
---|---|
Employee Type |
Full-Time |
Organization |
Xellerate Users |
User Type |
End-User |
This section describes the following lookup definitions for group operations:
The Lookup.OID.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 6-9 lists the default entries in this lookup definition.
Table 6-9 Entries in the Lookup.OID.Group.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.OID.Group.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. |
Recon Attribute Map |
Lookup.OID.Group.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. |
The Lookup.OID.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations. This lookup definition is preconfigured.
Table 6-10 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table 6-10 Entries in the Lookup.OID.Group.ProvAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
container |
Group Name |
cn |
Name |
__NAME__="cn=${Group_Name},${Container_DN}" |
OrclGuid |
__UID__ |
The Lookup.OID.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition isused during reconciliation. This lookup definition is preconfigured.
Table 6-11 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 6-11 Entries in the Lookup.OID.Group.ReconAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
Group Name |
cn |
OrclGuid |
__UID__ |
Org Name |
__PARENTRDNVALUE__ |
This section describes the following lookup definitions for organizational unit operations:
The Lookup.OID.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.
Table 6-12 lists the default entries in this lookup definition.
Table 6-12 Entries in the Lookup.OID.OU.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.OID.OU.ProvAttrMap |
Lookup used during provisioning. |
Recon Attribute Map |
Lookup.OID.OU.ReconAttrMap |
Lookup used during reconciliation. |
The Lookup.OID.OU.ProvAttrMap lookup definition maps process form fields for organizations and target system attributes. This lookup definition is used for performing organizational unit provisioning operations.
Table 6-13 lists the organizational unit fields of the target system for which you can specify or modify values during provisioning operations.
Table 6-13 Entries in the Lookup.OID.OU.ProvAttrMap Lookup Definition
Organization Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
Not used. |
Name |
__NAME__="ou=${Organisation_Unit_Name},${Container_DN}" |
OrclGuid |
__UID__ |
Organisation Unit Name |
ou |
This lookup definition is used during reconciliation. Table 6-14 lists the entries in this lookup definition.
Table 6-14 Entries in the Lookup.OID.OU.ReconAttrMap Lookup Definition
Code Key | Decode |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
OrclGuid |
__UID__ |
Organization Unit Name |
ou |
Org Name |
__PARENTRDNVALUE__ |
Note:
Before you perform the following optional task, make sure you have created the corresponding organizations with the same names from the target system in Oracle Identity Manager.
To reconcile users from an OID target system under their corresponding organizations in Oracle Identity Manager: