5 Using the Connector with Oracle Unified Directory

The chapter describes the following information about using the connector with Oracle Unified Directory (OUD):

• Configuring Secure Communications

• Preconfigured Lookup Definitions for an OUD Target System

• Reconciling OUD Users Under Their Corresponding Organizations in Oracle Identity Manager

• Reconciling OUD Groups Under One Organization in Oracle Identity Manager

• Reconciling Newly Created Objects for an OUD Target System

• Guidelines on Using the Connector for Dynamic and Virtual Static Groups

5.1 Configuring Secure Communications

To provide secure communications to the OUD target system, configure SSL between Oracle Identity Manager, the Connector Server, and the OUD target system.

For more information, see Configuring SSL for the Connector.

5.2 Preconfigured Lookup Definitions for an OUD Target System

This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector for the OUD target system. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:

• Lookup.LDAP.OUD.Configuration

• Lookup.LDAP.OUD.Configuration.Trusted

• Preconfigured Lookup Definitions for User Operations

• Preconfigured Lookup Definitions for Group Operations

• Preconfigured Lookup Definitions for Organizational Unit Operations

5.2.1 Lookup.LDAP.OUD.Configuration

The Lookup.LDAP.OUD.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.

Table 5-1 lists the default entries in this lookup definition.

Table 5-1 Entries in the Lookup.LDAP.OUD.Configuration Lookup Definition

Code Key	Decode	Description
accountObjectClasses	"top","person", "organizationalPerson","inetOrgPerson"	This entry holds the list of object classes required for a USER object.
accountSearchFilter	objectClass=*	This entry holds a search filter that any account needs to match in order to be returned.
accountSynchronizationFilter	objectClass=*	This entry holds a filter for all of the entries returned during the SyncOp operation that must match.
accountUserNameAttribute	cn	This entry holds attributes that contain the name of a USER object.
Any Incremental Recon Attribute Type	true	This entry indicates that any format of token is accepted during reconciliation.
attributesToSynchronize	"cn","uid"	This entry holds the list of attributes to return whenever a SyncOp is run.
blockSize	100	This entry holds the block size for simple paged results and VLV index searches.
Bundle Name	org.identityconnectors.ldap	This entry holds the name of the connector bundle package. Do not modify this entry.
Bundle Version	1.0.6380	This entry holds the version of the connector bundle class. Do not modify this entry.
changelogBaseDN	cn=changelog	This entry holds the baseDN where the connector is to find the changelog attribute value.
changeLogBlockSize	100	This entry holds the block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation.
changelogUidAttribute	targetEntryUUID	This entry holds the name of the attribute that contains the uniqueId of the modified entry in the changelog.
changeNumberAttribute	changelogcookie	This entry holds the attribute name used for changelog.
Connector Name	org.identityconnectors.ldap.LdapConnector	This entry holds the name of the connector class. Do not modify this entry.
disabledRoleName	cn=nsmanageddisabledrole,dc=example,dc=com	This entry holds the name of the role that must be present in the entry when an account is disabled and that the enabledBaseOnRole is set to TRUE.
enabledAttribute	ds-pwp-account-disabled	This entry holds the name of the attribute that is required to enable or disable accounts.
enabledValue	FALSE	This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled.
disabledValue	true	This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled.
enabledWhenNoAttribute	true	This entry defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry.
enabledBasedOnRole	false	This entry specifies whether enabling or disabling a user must be controlled by a role instead of the enabledAttribute attribute. When you set the value of this entry to true, it takes precedence over all the other enabled or disabled-related flags.
filterWithOrInsteadOfAnd	false	This entry specifies whether the changelog filter is built using an OR or AND filter. Enter true if the changelog filter is built using an OR filter instead of AND filter. Otherwise, enter false. An OR filter is in the following the following format: (|(changeNumber=1) (changeNumber=2) . . . (changeNumber=xxx)) An AND filter is of the following format: (&(changeNumber>=0) (changeNumber<=xxx))
Group Configuration Lookup	Lookup.LDAP.Group.Configuration	This entry holds the name of the lookup definition that contains group-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of groups. Do not modify this entry.
groupMemberAttribute	uniqueMember	This entry holds the LDAP attribute that stores the member for non-POSIX static groups.
groupObjectClasses (optional)	"top","groupOfUniqueNames"	This entry holds the list of object classes required for a GROUP object. Note: By default, the connector uses groupOfUniqueNames as the object class for groups. If you want to use other object classes for groups, then modify the decode value by replacing "groupOfUniqueNames" with the name of the other object class. For example, if you want to use the groupOfNames object class, then change the decode value to "top","groupOfNames".
ldapGroupFilterBehavior	accept	This entry specifies the behavior for an LDAP group filter.
ldapGroupMembershipAttribute	ismemberof	This entry specifies the value for the LDAP group membership attribute.
maintainLdapGroupMembership	true	This entry specifies whether the connector modifies group membership of renamed or deleted user entries.
maintainPosixGroupMembership	false	This entry specifies whether the connector modifies POSIX group membership of renamed or deleted user entries.
objectClassesToSynchronize	"inetOrgPerson","groupOfNames","groupOfUniqueNames","organizationalUnit"	This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes.
OU Configuration Lookup	Lookup.LDAP.OU.Configuration	This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units. Do not modify this entry.
passwordAttribute	userPassword	This entry holds the name of the attribute to which the predefined PASSWORD attribute is written to.
readSchema	true	This entry specifies whether the schema must be read from the server.
removeLogEntryObjectClassFromFilter	true	This entry specifies whether the changelog filter contains a condition on the changelog objectclass.
respectResourcePasswordPolicyChangeAfterReset	true	Enter TRUE as the decode value if the connector throws exceptions (for example, PasswordExpiredException) appropriately when binding check for the Password Expired control and Password Policy control. Otherwise, enter FALSE.
Role Configuration Lookup	Lookup.LDAP.Role.Configuration	This entry holds the name of the lookup definition that contains role-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of roles. Do not modify this entry.
standardChangelog	false	This entry specifies how the connector accesses the changelog attribute: true: The connector retrieves changes using the changelog mechanism described in the draft RFC (http://tools.ietf.org/html/draft-good-ldap-changelog-04). false: The connector uses optimized (or non-standard) access based on LDAP control and a cookie. Note. Set this entry to false only for an OUD target system. For other target systems, this value must be set the true.
synchronizeWithModifyTimestamps	false	This property specifies whether the connector must use the modify timestamps attribute instead of the changelog attribute during a SyncOp operation.
uidAttribute	entryUUID	This entry holds the LDAP attribute to which the predefined UID attribute must be mapped to.
usePagedResultControl	true	This entry specifies whether simple paged search is preferred over VLV index search when both are available.
User Configuration Lookup	Lookup.LDAP.UM.Configuration	This entry holds the name of the lookup definition that contains user-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of users. Do not modify this entry.
vlvSortAttribute	uid	This entry holds the attribute used as the sort key for the VLV index.
readTimeout	120000 milliseconds	This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default.
connectTimeout	120000 milliseconds	This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default.
referrals	ignore, follow, or throw	This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default.

5.2.2 Lookup.LDAP.OUD.Configuration.Trusted

The Lookup.LDAP.OUD.Configuration.Trusted lookup definition holds connector configuration entries that are used during trusted source.

Table 5-2 lists the default entries in this lookup definition.

Table 5-2 Entries in the Lookup.LDAP.OUD.Configuration.Trusted Lookup Definition

Code Key	Decode	Description
accountObjectClasses	"top","person", "organizationalPerson","inetOrgPerson"	This entry holds the list of object classes required for a USER object.
Bundle Name	org.identityconnectors.ldap	This entry holds the name of the connector bundle package. Do not modify this entry.
Bundle Version	1.0.6380	This entry holds the version of the connector bundle class. Do not modify this entry.
Any Incremental Recon Attribute Type	true	This entry indicates that any format of token is accepted during reconciliation.
changeLogBlockSize	100	This entry holds the block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation.
changeNumberAttribute	changelogcookie	This entry holds the attribute name used for changelog.
Connector Name	org.identityconnectors.ldap.LdapConnector	This entry holds the name of the connector class. Do not modify this entry.
disabledValue	true	This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled.
enabledAttribute	ds-pwp-account-disabled	This entry holds the name of the attribute that is required to enable or disable accounts.
enabledValue	false	This entry specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled.
enabledWhenNoAttribute	true	This entry defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry.
objectClassesToSynchronize	"inetOrgPerson","groupOfNames","groupOfUniqueNames","organizationalUnit"	This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes.
uidAttribute	entryUUID	This entry holds the LDAP attribute to which the UID must be mapped to.
usePagedResultControl	true	This entry specifies whether simple paged search is preferred over VLV index search when both are available.
User Configuration Lookup	Lookup.LDAP.UM.Configuration.Trusted	This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry.
readTimeout	120000 milliseconds	This property holds the value for the read timeout configuration property. These values can be increased or decreased if necessary. If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default.
connectTimeout	120000 milliseconds	This property holds the value for the connect timeout configuration property. These values can be increased or decreased if necessary.If this property is not added in the configuration lookup definition, then the value is set to 60000 milliseconds by default.
referrals	ignore, follow, or throw	This property holds the value for the read referrals configuration property. If this property is not added in the configuration lookup definition, then the value is set to ignore by default.

5.2.3 Preconfigured Lookup Definitions for User Operations

This section discusses the following lookup definitions for user operations:

• Lookup.LDAP.UM.Configuration

• Lookup.LDAP.UM.Configuration.Trusted

• Lookup.LDAP.UM.ProvAttrMap

• Lookup.LDAP.UM.ReconAttrMap

• Lookup.LDAP.UM.ProvValidation

• Lookup.LDAP.UM.ReconTransformation

• Lookup.LDAP.UM.ReconValidation

• Lookup.LDAP.UM.ReconAttrMap.Trusted

• Lookup.LDAP.UM.TrustedDefaults

5.2.3.1 Lookup.LDAP.UM.Configuration

The Lookup.LDAP.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.

Table 5-3 lists the default entries in this lookup definition.

Table 5-3 Entries in the Lookup.LDAP.UM.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.LDAP.UM.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.UM.ProvAttrMap for more information about this lookup definition.
Recon Attribute Map	Lookup.LDAP.UM.ReconAttrMap	This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.UM.ReconAttrMap for more information about this lookup definition.
Recon Transformation Lookup Note: This entry does not exist by default. You must add it if you want to enable transformation during reconciliation.	Lookup.LDAP.UM.ReconTransformation	This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition.
Recon Validation Lookup Note: This entry does not exist by default. You must add it if you want to enable validation during reconciliation.	Lookup.LDAP.UM.ReconValidation	This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.
Provisioning Validation Lookup Note: This entry does not exist by default. You must add it if you want to enable validation during provisioning.	Lookup.LDAP.UM.ProvValidation	This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.

5.2.3.2 Lookup.LDAP.UM.Configuration.Trusted

The Lookup.LDAP.UM.Configuration.Trusted lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during trusted source user reconciliation runs.

Table 5-4 lists the default entry in this lookup definition.

Table 5-4 Entries in the Lookup.LDAP.UM.Configuration.Trusted Lookup Definition

Code Key	Decode	Description
Recon Attribute Defaults	Lookup.LDAP.UM.TrustedDefaults	This entry holds the name of the lookup definition that maps reconciliation fields to their default values. See Lookup.LDAP.UM.TrustedDefaults for more information.
Recon Attribute Map	Lookup.LDAP.UM.ReconAttrMap.Trusted	This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.UM.ReconAttrMap for more information about this lookup definition.

5.2.3.3 Lookup.LDAP.UM.ProvAttrMap

The Lookup.LDAP.UM.ProvAttrMap lookup definition maps process form fields with OUD target system attributes. This lookup definition is used for performing user provisioning operations.

For the default user fields that you can specify or modify values during provisioning operations, see User Fields for Provisioning an OUD Target System.

You can also add entries in this lookup definition if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.

5.2.3.4 Lookup.LDAP.UM.ReconAttrMap

The Lookup.LDAP.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation.

For the default user fields that you can specify or modify values during reconciliation operations, see User Fields for Target Resource Reconciliation.

You can also add entries in this lookup definition if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.

5.2.3.5 Lookup.LDAP.UM.ProvValidation

The Lookup.LDAP.UM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.

5.2.3.6 Lookup.LDAP.UM.ReconTransformation

The Lookup.LDAP.UM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition.

5.2.3.7 Lookup.LDAP.UM.ReconValidation

The Lookup.LDAP.UM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.

5.2.3.8 Lookup.LDAP.UM.ReconAttrMap.Trusted

The Lookup.LDAP.UM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during trusted source user reconciliation runs. This lookup definition is preconfigured.Table 1-33 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.

5.2.3.9 Lookup.LDAP.UM.TrustedDefaults

The Lookup.LDAP.UM.TrustedDefaults lookup definition holds mappings between reconciliation fields and their default values. This lookup definition is used when there is a mandatory field on the OIM User form, but no corresponding field in the target system from which values can be fetched during trusted source reconciliation.

You can add entries to this lookup definition by ensuring that the Code Key and Decode values are in the following format:

• Code Key: Name of the reconciliation field of the resource object

• Decode: Corresponding default value to be displayed

For example, the Employee Type field is a mandatory field on the OIM User form. However, on the target system, there is no information about the employee type for a user account. During reconciliation, as the Employee Type field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Employee Type Code Key has been set to Full-Time. This implies that the value of the Employee Type field on the OIM User form displays Full-Time for all user accounts reconciled from the target system.

This lookup definition is preconfigured. Table 5-5 lists the default entries.

Table 5-5 Entries in the Lookup.LDAP.UM.TrustedDefaults Lookup Definition

Code Key	Decode
Employee Type	Full-Time
Organization	Xellerate Users
User Type	End-User

5.2.4 Preconfigured Lookup Definitions for Group Operations

This section discussed the following lookup definitions for group operations:

• Lookup.LDAP.Group.Configuration

• Lookup.LDAP.Group.ProvAttrMap

• Lookup.LDAP.Group.ReconAttrMap

5.2.4.1 Lookup.LDAP.Group.Configuration

The Lookup.LDAP.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.

Table 5-6 lists the default entries in this lookup definition.

Table 5-6 Entries in the Lookup.LDAP.Group.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.LDAP.Group.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Group.ProvAttrMap for more information about this lookup definition.
Recon Attribute Map	Lookup.LDAP.Group.ReconAttrMap	This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Group.ReconAttrMap for more information about this lookup definition.

5.2.4.2 Lookup.LDAP.Group.ProvAttrMap

The Lookup.LDAP.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations.

This lookup definition is preconfigured. Table 1-25 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding Custom Fields for Provisioning for more information.

5.2.4.3 Lookup.LDAP.Group.ReconAttrMap

The Lookup.LDAP.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is used during reconciliation.

This lookup definition is preconfigured. Table 1-8 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Adding Custom Fields for Target Resource Reconciliation for more information.

5.2.5 Preconfigured Lookup Definitions for Organizational Unit Operations

This section discusses the following lookup definitions for organizational unit operations:

• Lookup.LDAP.OU.Configuration

• Lookup.LDAP.OU.ProvAttrMap

• Lookup.LDAP.OU.ReconAttrMap

5.2.5.1 Lookup.LDAP.OU.Configuration

The Lookup.LDAP.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.

Table 5-7 lists the default entry in this lookup definition.

Table 5-7 Entries in the Lookup.LDAP.OU.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.LDAP.OU.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.OU.ProvAttrMap for more information about this lookup definition.
Recon Attribute Map	Lookup.LDAP.OU.ReconAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.OU.ReconAttrMap for more information about this lookup definition.

5.2.5.2 Lookup.LDAP.OU.ProvAttrMap

The Lookup.LDAP.OU.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during provisioning.

This lookup definition is preconfigured. Table 1-30 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.

5.2.5.3 Lookup.LDAP.OU.ReconAttrMap

The Lookup.LDAP.OU.ReconAttrMap lookup definition maps process form fields and target system attributes. This lookup definition is used during reconciliation.

This lookup definition is preconfigured. Table 1-13 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.

5.3 Reconciling OUD Users Under Their Corresponding Organizations in Oracle Identity Manager

Note:

Before you perform the following optional task, make sure you have created the corresponding organizations with the same names from the target system in Oracle Identity Manager.

To reconcile users from an OUD target system under their corresponding organizations in Oracle Identity Manager:

1. Log in to Oracle Identity Manager Design Console.
2. Find the Lookup.LDAP.UM.ReconAttrMap.Trusted lookup.
3. Add the following entry:

   • code: Organization

   • decode: __PARENTRDNVALUE__

5.4 Reconciling OUD Groups Under One Organization in Oracle Identity Manager

To configure OUD groups to be reconciled under one organization:

1. Log in to Oracle Identity Manager Design Console.
2. Find the Lookup.LDAP.Group.Configuration lookup.
3. Add a new entry such as the following:

   • code: Recon Attribute Defaults

   • decode: Lookup.LDAP.Group.Defaults

   Note that the decode value is an example, and you can set your own lookup name.

4. Create the new Lookup.LDAP.Group.Defaults lookup (specified in the previous step).
5. Add a new entry:

   • code: Org Name

   • decode: Group1

   The decode value is the name of the Oracle Identity Manager organization under which all groups will be reconciled.

6. Find the Lookup.LDAP.Group.ReconAttrMap lookup.
7. Delete the row with the code Org Name.
8. Find the reconciliation rule LDAP Group Recon.
9. Change the current rule Organization Name Equals Group Name to Organization Name Equals Org Name by double clicking the rule element and changing the Group Name attribute to Org Name.
10. Save the rule.
11. Open the LDAP Group resource object and click Create Reconciliation Profile.

5.5 Reconciling Newly Created Objects for an OUD Target System

An OUD target system has a specific behavior with respect to the modifyTimestamp attribute. When a new object such as a user, OU, or group is created on the OUD target, only createTimestamp is updated and not modifyTimestamp.

Consequently, when you run a search reconciliation with modifyTimestamp in Incremental Recon Attribute, the reconciliation events are not created for new objects. In this case, you must run reconciliation with createTimestamp in Incremental Recon Attribute.

Create a new scheduled job to reconcile newly created objects separately, as follows:

1. Go to Advanced / Search Scheduled Jobs.
2. Create new scheduled job.
3. Set the job name depending on the object type you want to reconcile (User, OU, or Group). For example, "OUD New Users Search Reconciliation".
4. Set the Task to LDAP Connector Search Incremental Reconciliation.
5. Set the Retries and Schedule Type as required by your deployment.
6. Set the Incremental Recon Attribute to createTimestamp.
7. Set the IT Resource Name to the IT resource name you are using.
8. Set Object Type to User, OU or Group, depending on the object type you want to reconcile.
9. Set Resource Object Name to LDAP User, LDAP Organisation Unit, or LDAP Group, depending on the object type you want to reconcile.
10. Set the Scheduled Task Name to the same value you specified in Step 3.
11. Click Apply to save the job.

5.6 Guidelines on Using the Connector for Dynamic and Virtual Static Groups

This connector does not support dynamic and virtual static groups in LDAP, by default. If you want to use the connector for dynamic or virtual static groups, then you must apply the following guidelines:

• Ensure referential integrity in OUD is enabled.

• Set the value of the maintainLdapGroupMembership entry in the Lookup.LDAP.OUD.Configuration lookup definition to false.