In earlier releases of Oracle Identity Manager, role name (UGP.UGP_NAME in the database) is unique. This is a limitation because a lot of roles can exist in large enterprises, and as a result, it is possible that administrators need to create two or more roles in Oracle Identity Manager with the same name but for different purpose.
Oracle Identity Manager can be installed with LDAP synchronization enabled. When roles are coming from LDAP via reconciliation, it is possible that two or more roles have the same name. LDAP supports two roles with the same name if the roles are located under two different Organization Units (OUs).
In Oracle Identity Manager 11g Release 2 (11.1.2.1.0), namespace is introduced to handle two roles with the same name. Roles with the same name are supported if the roles are in different namespaces. However, two or more roles with the same name in the same namespace is not supported.
When LDAP is integrated with Oracle Identity Manager, the namespace maps to an OU. By the default configuration, there is only one default namespace called Default, and therefore, role names are unique. To configure multiple namespaces, you must create an XML file called LDAPContainerRules.xml and load it in the metadata store (MDS). The LDAPContainerRules.xml also specifies the namespace of a role based on the role attributes.
When LDAP synchronization is enabled, and a user is to be created, then a plug-in determines in which container the user is to be created. Similarly, if a role is to be created, then this plug-in determines the container in which the role is to be created. For this, Oracle Identity Manager calls a plug-in that implements the oracle.iam.ldapsync.LDAPContainerMapper interface. All the attributes of the user/role are passed to the plug-in, and it returns the Domain Name (DN) of the LDAP container. You can write your own plug-in, register the plug-in to Oracle Identity Manager, and then configure Oracle Identity Manager to use the plug-in by setting the LDAPContainerMapperPlugin system property. See "System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about this system property.
Oracle Identity Manager provides a default plug-in for determining the LDAP container for user/role based on user or role attributes that are synchronized to LDAP. The default plug-in reads the rules from a XML file to determine the LDAP container. The XML file must deployed to MDS as /db/LDAPContainerRules.xml. When Oracle Identity Manager is installed with LDAP synchronization enabled, the installer asks for user and role container values. These values are stored in the /db/LDAPContainerRules.xml file at containers for which the expression is Default. The following is an example:
<container-rules>
<user>
<rule>
<expression>Country=US, Locality Name=AMER</expression>
<container>l=amer,dc=oracle,dc=com</container>
</rule>
<rule>
<expression >Country=IN, Locality Name=APAC</expression>
<container>l=apac,dc=oracle,dc=com</container>
</rule>
<rule>
<expression>Default</expression>
<container>l=users,dc=oracle,dc=com</container>
</rule>
</user>
<role>
<rule>
<expression>Role Description=AMER</expression>
<description>AMER</description>
<container>l=amer,ou=role,dc=oracle,dc=com</container>
</rule>
<rule>
<expression >Role Description=APAC</expression >
<description>APAC</description>
<container>l=apac,ou=role,dc=oracle,dc=com</container>
</rule>
<rule>
<expression>Default</expression>
<description>Default</description>
<container>l=roles,dc=oracle,dc=com</container>
</rule>
</role>
</container-rules>
In the LDAPContainerRules.xml file, each rule contains the following sections:
Expression: This specifies the actual rule that you use to find the namespace and the OU for LDAP.
The <expression> tag must be defined based on user/role attributes. Only the equal to (=) operator is supported in the <expression> tag. The expression can be based on multiple attributes, as shown in the example, and the LDAP container is determined based on an AND operation of all the defined attributes. If none of the rules satisfy, then the users or roles are put in the container for which expression is Default.
Description: This is the namespace that is used for the Role Namespace attribute.
The description (namespace) associated to the default expression will always use Default. By default, roles do not have many attributes for creating meaningful expressions. Therefore, you need to add a new User Defined Field (UDF) attribute, for instance, the Role Location attribute. In this example, the Role Description attribute is used to define the rule.
Container: This is the OU that is used to figure out where to create the user or role in LDAP.
Suppose a user is to be created with the attributes Country=US and Locality Name=AMER. This user would be created in the container l=amer,dc=oracle,dc=com. If a user is to be created in Country=France and Locality Name=FR, then it would be created in the container l=users,dc=oracle,dc=com because no expression matches these two attributes, and therefore, the default container is selected.