1. Configuring the UNIX Application
  2. Configuring the UNIX Connector

3 Configuring the UNIX Connector

While creating a target or an authoritative application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to UNIX. These parameters are common for both target applications and authoritative applications.

Table 3-1 Basic Configuration Parameters for UNIX

Parameter Mandatory? Description

host

Yes

Host name or the IP address of the target system computer

loginUser

Yes

User ID of the administrator to perform connector operations

root or jdoe

Here, jdoe can be the SUDO user ID, for the SUDO Admin mode. Alternatively, on Solaris, it can be the user ID of the account to which you assign the minimum privileges required to perform connector operations. See Creating a Target System SUDO User Account for Connector Operations for more information.

loginUserpassword

Yes

Password of the administrator

loginShellPrompt

No

Shell prompt that you encounter when you login to the target system using the loginUser account

Default value: [#$]

Note: This value is a regular expression. By default, the connector works if the shell prompt on the target system is either # or $.

However, if the shell prompt is different, for example >, then you must change the value of this parameter to the actual prompt.

To know the loginShellPrompt, perform the following steps on the target system:

  1. Log in to the target system using the user and the password specified in the loginUser and loginUserPassword parameters.

    Note the login prompt. For example, #.

  2. Run the sh command.

    Note the shell prompt, if it is different from the previous prompt. For example, $.

  3. Run the sudo -k command.

    Note the shell prompt, if it is different from the previous prompt. For example, $.

  4. Run the sudo -v command.

    This will prompt you for the password if loginUser is a SUDO user. Enter the password and continue. Note the shell prompt, if it is different from the previous prompt. For example, $.

  5. Run the sudo -s command.

    Note the shell prompt, if it is different from the previous prompt. For example, $.

For the values shown in the examples, the loginShellPrompt parameter value should be [#$]. In addition, if the shell prompt displayed in any of the previous steps is similar to home/jdoe>, then the prompt is > (not the entire string, home/jdoe>).

port

No

Port at which the SSH or Telnet service is running on the server

Default value for SSH: 22

Default value for Telnet: 23

Connector Server Name

No

Name of the IT resource of type "Connector Server".

By default, this field is blank.

If you use a Connector Server, then a default IT resource is created during application creation whose default value is: UNIX Connector Server

connectionType

No

Protocol used by the connector to connect to the target system

The connector supports the following connection types:

  • SSH - Used for SSH with password-based authentication.

  • SSHPUBKEY - Used for SSH with key-based authentication.

  • TELNET - Used for Telnet connection.

Default value: SSH

connectorPrompt

No

Shell prompt set by the connector for its operations on the target system

Default value: #@#

Note: If this value occurs in user login names, comment fields, directory names, and so on, some connector operations may be affected.

In such a case, the value for the connector prompt can be changed to a value that does not occur in the names.

passphrase

No

Passphrase for the key file to use with key based authentication

Note: You must provide a passphrase if you use key-based authentication.

propertyFileName

No

Relative path of the ScriptProperties.properties file of the target system

You can leave this field blank if you want to use the default scripts. However, if you want to use custom scripts other than the OOTB scripts, then you must provide a value for this field.

The connector will try to determine the path of the properties file by running the uname -a command on the target system. If the connector is unable to determine an appropriate value (when an exception is encountered), then it will display the following error message:

Unable to determine UNIX Type. Please provide property file name in IT Resource.

In the case of an error message, enter one of the following values (or a different path if you want to use customized scripts) depending on the target system and the user account:

  • scripts/solaris/sudo/ScriptProperties.properties

  • scripts/solaris/nonsudo/ScriptProperties.properties

  • scripts/linux/sudo/ScriptProperties.properties

  • scripts/linux/nonsudo/ScriptProperties.properties

  • scripts/aix/sudo/ScriptProperties.properties

  • scripts/aix/nonsudo/ScriptProperties.properties

  • scripts/hpux/sudo/ScriptProperties.properties

  • scripts/hpux/nonsudo/ScriptProperties.properties

rbacAuthorization

No

Indicates whether the user provided in the loginUser parameter is a RBAC user

Default value: false

See Creating an RBAC User Account for Connector Operations on Solaris for more information.

rbacRoleName

No

If you specify the rbacAuthorization parameter as true, then enter the name of the role assigned to the RBAC user. Otherwise, do not specify a value for this parameter.

rbacRolePassword

No

If you specify the rbacAuthorization parameter as true, then enter the password of the role assigned to the RBAC user. Otherwise, do not specify a value for this parameter.

sudoAuthorization

No

Indicates whether the user provided in the loginUser parameter is a SUDO user

Default value: false

3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations. Unless specified, the parameters in the table are applicable to both target and authoritative applications.

Table 3-2 Advanced Settings Parameters for UNIX

Parameter Mandatory? Description

Connector Name

Yes

This parameter holds the name of the connector class.

Default value: org.identityconnectors.genericunix.GenericUnixConnector

defaultConnectorShelll

No

This is the defaultShell used for connector operations.

Do not modify this entry unless you are using RBAC.

Default value: sh

Note: If you are using RBAC, then the decode value must be changed from sh to pfsh.

Bundle Name

Yes

Name of the connector bundle package.

Default value: org.identityconnectors.genericunix

Do not modify this entry.

Bundle Version

Yes

Version of the connector bundle class.

Do not modify this entry.

Default value: 12.3.0

targetDateFormat

No

Format of the date on the target system as: MM/dd/yy

Note: You must ensure to enter the correct Java date format for the target system. An incorrect format may affect provisioning of the Expire Date attribute.

For information about the date format, see http://docs.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html and http://docs.oracle.com/javase/6/docs/api/java/text/DateFormat.html.

whitelistRegex

No

Specifies characters that are allowed as a part of the field values.

For example:

The regular expression, [A-Za-z0-9_//]*, allows all alphanumeric, underscore, and forward slash characters. You can add more characters if needed.

Note: For information about the supported regular expressions, you can refer to a guide such as http://www.zytrax.com/tech/web/regex.htm

This regular expression does not apply to the GECOS field, which can have any characters.

sudoPasswdExpectExpression

No

Regular expression for the password prompt displayed on the target system when you enter the SUDO mode.

If the target system displays a different prompt, then you must change this password prompt.

Default value: password:

Note: The third-party library, Expect4j, matches these expected expressions to the actual contents of the console output on the UNIX target system.

Therefore, you must ensure that these fields have correct values. Incorrect values may impact the connector operations.

rbacRoleExpectExpressions

No

Regular expressions for the two comma-separated prompts.

Default value: password:,[$#]

The first prompt (password:) is the password prompt displayed on the Solaris target system when you enter the SUDO mode for the RBAC role. If the target system displays a different prompt, then you must change this password prompt.

The second prompt ([$#]) is the shell prompt displayed after running the previous command in SUDO mode. If the target system displays a different prompt, then you must change this shell prompt.

Note: The third-party library, Expect4j, matches these expected expressions to the actual contents of the console output on the UNIX target system.

Therefore, you must ensure that these fields have correct values. Incorrect values may impact the connector operations.

commandTimeout

No

Time in milliseconds for which the connector would wait for a response from the target system. After this time, the connector will throw a timeout exception.

Default value: 10000000

You can increase this value if you encounter a 'command timed out' exception for connector operations.

configPropertiesOnScripts

No

Lists the properties that are sent to the scripts:

moveHomeDirContents,shadow,defaultHomeBaseDir,
defaultPriGroup,defaultShell,nisPwdDir,
nisBuildDirectory,removeHomeDirContents,forceDeleteUserHome,syncToken,
mirrorFilesLocation,connectorPrompt

For example, if during provisioning, you want to set a default shell for the users. To do so: 1. Verify that the 'defaultShell' property is a part of this list. 2. Add an entry for this property. Set the value for defaultShell to /bin/sh.

If the target-specific script supports the defaultShell property, it would be set. Not all scripts support all the attributes listed. You must manually check the script contents for supported attributes.

mirrorFilesLocation

No
Directory used by the connector to store copies of the /etc/passwd and shadow files:

  • For a Target application:

    /etc/connector_mirror_files

  • For an Authoritative application:

    /etc/connector_mirror_files_trusted

Note: This directory has to be manually created on the target before performing reconciliation. If you want to specify a different directory, ensure that the directory exists on the target system and the Login User has read-write access to the directory.

passwordExpectExpressions

No

Regular expression for the two comma-separated password prompts that are displayed on the target system when a password is set for a user: new[\s](unix[\s])?password:,new[\s](unix[\s])?password([\s]again)?:

Note: The third-party library, Expect4j, matches these expected expressions to the actual contents of the console output on the UNIX target system.

Therefore, you must ensure that these fields have correct values. Incorrect values may impact the connector operations.

If the regular expression does not work on your target system, then you can specify the exact prompts in this entry.

For example, if you set the password for a user and you get the following prompt:

Enter Password for USER1:

Re-enter Password for USER1:

Then, you can set the value as follows:

enter password,re-enter password

supportedLanguage

No

Shell script language supported on the target system

Default value: Bourne

telnetAuthenticationPrompts

Note: This entry is applicable for Telnet connection, when the Connection Type parameter is set to TELNET.

No

The login and password prompts on a target system using Telnet connection.

Default value: login:,Password:

Note: The third-party library, Expect4j, matches these expected expressions to the actual contents of the console output on the UNIX target system.

Therefore, you must ensure that these fields have correct values. Incorrect values may impact the connector operations.

moveHomeDirContents

No

Specifies whether the old home directory contents should be moved to the new directory location when changing the Home Directory.

Default value: true

privateKey

No

Path to the id_rsa file.

Sample value:

file:///scratch/files/jars/unix/id_rsa_linux

Pool Max Idle

No

Maximum number of idle objects in a pool.

Sample value: 10

Pool Max Size

No

Maximum number of connections that the pool can create.

Sample value: 10

Pool Max Wait

No

Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation.

Sample value: 150000

Pool Min Evict Idle Time

No

Minimum time, in milliseconds, the connector must wait before evicting an idle object.

Sample value: 120000

Pool Min Idle

No

Minimum number of idle objects in a pool.

Sample value: 1

3.3 Attribute Mappings

The attribute mappings on the Schema page vary depending on whether you are creating a target application or an authoritative application.

3.3.1 Attribute Mappings for a Target Application

The Schema page for a Target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system columns. The connector uses these mappings during reconciliation and provisioning operations.

UNIX User Account Attributes

This table lists the mapping of attribute between the process form fields and UNIX columns. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Note:

Whenever you edit the default attribute mapping, you must make corresponding updates to the attributes in the scripts pertaining to your target system. If you add or update an attribute for provisioning, then update the provisioning scripts as described in Updating the Scripts for Provisioning After Editing Schema Attributes. If you add or update an attribute for reconciliation, then update the reconciliation scripts as described in Updating the Scripts for Reconciliation After Editing Schema Attributes.

Table 3-3 Default Attribute Mappings for UNIX User Account

Display Name Target Attribute Data Type Mandatory Provisioning Property? Provision Field? Recon Field Key Field? Case Insensitive?
User Login __NAME__ String Yes Yes Yes Yes Not Applicable
GECOS COMMENTS##COMMENTS## String No Yes Yes No Not Applicable
Create home directory CREATE_HOME_DIR String No Yes Yes No Not Applicable
Home Directory HOME_DIR String No Yes Yes No Not Applicable
Expire Date EXP_DATE##DATE## Date No Yes Yes No Not Applicable
Inactive Days INACTIVE Int No Yes Yes No Not Applicable
Primary Group PGROUP String No Yes Yes No Not Applicable
UID USID Int No Yes Yes No Not Applicable
User Shell USER_SHELL String No Yes Yes No Not Applicable
ReturnValue __UID__ String No Yes Yes No Not Applicable
Status __ENABLE__ String No No Yes No Not Applicable
Password __PASSWORD__ String No Yes No No Not Applicable
Skeleton Directory SKEL_DIR String No Yes No No Not Applicable

Figure 3-1 shows the default User account attribute mapping.

Figure 3-1 Default Attribute Mappings for UNIX User Account

Description of Figure 3-1 follows
Description of "Figure 3-1 Default Attribute Mappings for UNIX User Account"

Secondary Group Entitlement Attributes

This is the default mapping of attributes between process form fields and secondary group list-related columns in the target system. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-4 Default Attribute Mappings for Secondary Group Entitlement

Display Name Application Attribute Data Type Mandatory Provisioning Property? Recon Field Key Field? Case Insensitive?
Secondary Group SECONDARYGROUP String No Yes Yes No
Figure 3-2 shows the default Secondary Group entitlement mapping.

Figure 3-2 Default Attribute Mappings for Secondary Group Entitlement

Description of Figure 3-2 follows
Description of "Figure 3-2 Default Attribute Mappings for Secondary Group Entitlement"

3.3.2 Attribute Mappings for an Authoritative Application

The Schema page for an Authoritative application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system columns. The connector uses these mappings during reconciliation and provisioning operations.

Generic UNIX Trusted User Account Attributes

Table 3-5 lists the mapping of attributes between the reconciliation fields in Oracle Identity Governance and UNIX attributes. The table also lists the data type for a given attribute and specifies whether it is a mandatory attribute for reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating an Authoritative Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

You may use the default schema that has been set for you or update and change it before continuing to the next step.

Note:

Whenever you edit the default attribute mapping, you must make corresponding updates to the attributes in the scripts pertaining to your target system. If you add or update an attribute for reconciliation, then update the reconciliation scripts as described in Updating the Scripts for Reconciliation After Editing Schema Attributes.

The Organization Name, Role, and Xellerate Type identity attributes are mandatory fields on the OIG User form. They cannot be left blank during reconciliation. The target attribute mappings for these identity attributes are empty by default because there are no corresponding columns in the target system. Therefore, the connector provides default values (as listed in the “Default Value for Identity Display Name” column of Table 3-5) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.

Table 3-5 Default Attribute Mappings for Generic UNIX Trusted User Account

Identity Display Name Target Attribute Data Type Mandatory Reconciliation Property? Reconciliation Field Default Value for Identity Display Name

Last Name

__NAME__

String

No

Yes

NA

Organization Name

NA

String

No

Yes

Xellerate Users

Role

NA

String

No

Yes

Full-Time

Status

__ENABLE__

String

No

Yes

NA

User Login

__UID__

String

No

Yes

NA

Xellerate Type

NA

String

No

Yes

End-User

Figure 3-3 shows the default User account attribute mapping.

Figure 3-3 Default Attribute Mappings for Generic UNIX Trusted User Account

Description of Figure 3-3 follows
Description of "Figure 3-3 Default Attribute Mappings for Generic UNIX Trusted User Account"

3.4 Rules, Situations, and Responses

Learn about the predefined rules, responses and situations for target and authoritative applications. The connector use these rules and responses for performing reconciliation.

3.4.1 Rules, Situations, and Responses for a Target Application

Learn about the predefined rules, responses and situations for a Target application. The connector use these rules and responses for performing reconciliation.

Predefined Identity Correlation Rules

By default, the UNIX connector provides a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-6 lists the default simple correlation rule for the UNIX connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-6 Predefined Identity Correlation Rule for a UNIX Target Application

Target Attribute Element Operator Identity Attribute Case Sensitive?
__NAME__ Equals User Login No
In this identity rule:

  • __NAME__ is a single-valued attribute on the target system that identifies the user account.

  • User Login is the field on the OIG User form.

Figure 3-4 shows the simple correlation rule for the UNIX connector.

Figure 3-4 Simple Correlation Rule for a UNIX Target Application

Description of Figure 3-4 follows
Description of "Figure 3-4 Simple Correlation Rule for a UNIX Target Application"

Predefined Situations and Responses

The UNIX connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-7 lists the default situations and responses for the UNIX connector. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-7 Predefined Situations and Responses for a UNIX Target Application

Situation Response

No Matches Found

None

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 3-5 shows the situations and responses that the connector provides by default.

Figure 3-5 Predefined Situations and Responses for a UNIX Target Application

Description of Figure 3-5 follows
Description of "Figure 3-5 Predefined Situations and Responses for a UNIX Target Application"

3.4.2 Rules, Situations, and Responses for an Authoritative Application

Learn about the predefined rules, responses and situations for an Authoritative application. The connector use these rules and responses for performing reconciliation.

Predefined Identity Correlation Rules

When you create an Authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.

By default, the UNIX connector provides a simple correlation rule when you create an Authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-8 lists the default simple correlation rule for the UNIX connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-8 Predefined Identity Correlation Rule for a UNIX Authoritative Application

Target Attribute Element Operator Identity Attribute Case Sensitive?
__UID__ Equals User Login No
In this identity rule:

  • __UID__ is an attribute on the target system that uniquely identifies the user account.

  • User Login is the field on the OIG User form.

Figure 3-6 shows the simple correlation rule for the UNIX connector.

Figure 3-6 Simple Correlation Rule for a UNIX Authoritative Application

Description of Figure 3-6 follows
Description of "Figure 3-6 Simple Correlation Rule for a UNIX Authoritative Application"

Predefined Situations and Responses

The UNIX connector provides a default set of situations and responses when you create an Authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-9 lists the default situations and responses for the UNIX connector. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating an Authoritative Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-9 Predefined Situations and Responses for a UNIX Authoritative Application

Situation Response

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 3-7 shows the situations and responses that the connector provides by default.

Figure 3-7 Predefined Situations and Responses for a UNIX Authoritative Application

Description of Figure 3-7 follows
Description of "Figure 3-7 Predefined Situations and Responses for a UNIX Authoritative Application"

3.5 Reconciliation Jobs

Learn about reconciliation jobs that are automatically created in Oracle Identity Governance after you create a target or an authoritative application for your target system.

3.5.1 Reconciliation Jobs for a Target Application

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create a Target application for your target system.

Full User Reconciliation Job

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The UNIX Target Resource Full User Reconciliation job is used to fetch all user records from the target system.

Table 3-10 Parameters of the UNIX Target Resource Full User Reconciliation Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Batch Size

Specify the number of records that must be included in each batch

Default value: 0

See Performing Batched Reconciliation for more information.

Batch start index

Specify the position from which the records will be included in each batch

Default value: 0

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: equalTo('__UID__','SEPT12USER1')

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

No. of Batches

Specify the total number of batches that must be reconciled.

Default value: 0

Object Type

Type of object you want to reconcile.

Default value: User

Incremental User Reconciliation Job

The UNIX Target Incremental Resource User Reconciliation job is used to fetch the records that are added or modified after the last reconciliation run.

Table 3-11 Parameters of the UNIX Target Incremental Resource User Reconciliation Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Batch Size

Specify the number of records that must be included in each batch

Default value: 0

See Performing Batched Reconciliation for more information.

Batch start index

Specify the position from which the records will be included in each batch

Default value: 0

No. of Batches

Specify the total number of batches that must be reconciled.

Default value: 0

Object Type

Type of object you want to reconcile

Default value: User

Scheduled Task Name

Name of the scheduled task

Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute.

Sync Token

Time stamp at which the last reconciliation run started

Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute.

If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation).

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

  • UNIX User Primary Group Lookup Reconciliation

  • UNIX User Shell Lookup Reconciliation

The parameters for all the reconciliation jobs are the same.

Table 3-12 Parameters of the Reconciliation Jobs for Entitlements

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Code Key Attribute

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: __NAME__

Note: Do not change the value of this attribute.

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: __NAME__

Lookup Name

This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched.

Depending on the reconciliation job you are using, the default values are as follows:

  • For UNIX User Primary Group Lookup Reconciliation: Lookup.UNIX.PrimaryGroup

  • For UNIX User Shell Lookup Reconciliation: Lookup.UNIX.UserShell

Object Type

Enter the type of object whose values must be synchronized.

Depending on the scheduled job you are using, the default values are as follows:

  • For UNIX User Primary Group Lookup Reconciliation: Group

  • For UNIX User Shell Lookup Reconciliation: __SHELLS__

Note: Do not change the value of this attribute.

3.5.2 Reconciliation Jobs for an Authoritative Application

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create an Authoritative application for your target system.

Full User Reconciliation Job

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The UNIX User Trusted Recon job is used to fetch all user records from the target system.

Table 3-13 Parameters of the UNIX User Trusted Recon Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Batch Size

Specify the number of records that must be included in each batch

Default value: 0

See Performing Batched Reconciliation for more information.

Batch start index

Specify the position from which the records will be included in each batch

Default value: 0

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: equalTo('__UID__','SEPT12USER1')

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

No. of Batches

Specify the total number of batches that must be reconciled.

Default value: 0

Object Type

Type of object you want to reconcile.

Default value: User

Incremental User Reconciliation Job

The UNIX User Trusted Incremental Recon job is used to fetch the records that are added or modified after the last reconciliation run.

Table 3-14 Parameters of the UNIX User Trusted Incremental Recon Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Batch Size

Specify the number of records that must be included in each batch

Default value: 0

See Performing Batched Reconciliation for more information.

Batch start index

Specify the position from which the records will be included in each batch

Default value: 0

No. of Batches

Specify the total number of batches that must be reconciled.

Default value: 0

Object Type

Type of object you want to reconcile

Default value: User

Scheduled Task Name

Name of the scheduled task

Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute.

Sync Token

Time stamp at which the last reconciliation run started

Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute.

If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation).