4 Configuring the Oracle Internet Directory Connector for OUD, ODSEE, and LDAPv3-Compliant Directory Server
While creating an application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system attributes, predefined correlation rules, situations and responses, and reconciliation jobs.
-
Basic Configuration Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server
-
Advanced Settings Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server
-
Attribute Mappings for OUD, ODSEE, and LDAPv3-Compliant Directory Server
-
Correlation Rules for OUD, ODSEE, and LDAPv3-Compliant Directory Server
-
Reconciliation Jobs for OUD, ODSEE, and LDAPv3-Compliant Directory Server
4.1 Basic Configuration Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server
These are the connection-related parameters that Oracle Identity Governance requires to connect to OUD, ODSEE, or an LDAPv3-compliant directory server. These parameters are common for both target applications and authoritative applications.
Table 4-1 Basic Configuration Parameters for OUD, ODSEE, or an LDAPv3-Compliant Directory Server
Parameter | Mandatory? | Description |
---|---|---|
baseContexts |
Yes |
Enter the base contexts for operations on the target system. Sample value: Note: In a multilevel base context, each base context must be specified within double quotes (") and separated by a comma (,). For example: |
principal |
Yes |
Enter the bind DN for performing operations on the target system. Sample value: Note: If you are using OpenLDAP as the target system, then set the value of this parameter in the following format: user DN,baseContexts Sample value: In this sample value, |
credentials |
Yes |
Enter the bind password associated with the bind DN. |
host |
Yes |
Enter the host name or the IP address of the target system. Sample value: |
port |
Yes |
Enter the port number to connect to the target system. Sample value: |
Connector Server Name |
No |
By default, this field is blank. If you use a Connector Server, then enter the name of Connector Server IT resource. |
failover |
No |
Enter the complete URL of LDAP backup server or servers that the connector must switch to if the primary LDAP server fails or becomes unavailable. The URL is a fully qualified host name or an IP address in the following format: ldap://host:port The following example shows an IP address for one backup LDAP server: If you specify more than one URL, each URL must be enclosed in double quotes (") and separated by a comma (,). For example:
|
ssl |
No |
This parameter specifies whether communication with the target system must be secured using SSL. By default, this field is blank. Enter Set the To configure SSL, see Configuring the Java Connector Server with SSL for Oracle Identity Governance in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance. |
4.2 Advanced Settings Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server
These are the configuration-related parameters that the connector uses during reconciliation and provisioning operations. These parameters vary depending on whether you are creating a target application or an authoritative application.
4.2.1 Advanced Settings Parameters for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
These are the configuration-related parameters that are applicable to a target application. By default, the connector displays attribute values for an OUD target system. You can update these values for the ODSEE and LDAPv3-compliant directory server target systems, as specified in the table.
Table 4-2 Advanced Settings Parameters for a Target Application for OUD, ODSEE, or an LDAPv3-Compliant Directory Server
Parameter | Mandatory? | Description |
---|---|---|
disabledValue |
No |
Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled. Default value: |
blockSize |
No |
Block size for simple paged results and VLV index searches. Default value: |
Bundle Version |
No |
Version of the connector bundle class. Default value: |
Connector Name |
No |
Name of the connector class. Default value: |
standardChangelog |
No |
Flag that indicates whether the connector must access the changelog attribute by using the standard format or a specific mechanism during a SyncOp operation. Note: If you are using OUD as the target system, then set the value of this parameter to |
enabledAttribute |
No |
Name of the attribute that is required to enable or disable accounts. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
synchronizeWithModifyTimestamps |
No |
Specifies whether the connector must use the modify timestamps attribute instead of the changelog attribute during a SyncOp operation. Default value: |
vlvSortAttribute |
No |
Attribute used as the sort key for the VLV index. Default value: |
enabledValue |
No |
Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. Default value: |
accountSynchronizationFilter |
No |
Filter for all of the entries returned during the SyncOp operation that must match. Default value: |
filterWithOrInsteadOfAnd |
No |
Specifies whether the changelog filter is built using an OR or AND filter. The default value is Enter An OR filter is in the following format:
An AND filter is of the following format:
|
usePagedResultControl |
No |
Specifies whether simple paged search is preferred over VLV index search when both are available. Default value: |
objectClassesToSynchronize |
No |
This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
changeLogBlockSize |
No |
Block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation. Default value: |
maintainPosixGroupMembership |
No |
Specifies whether the connector modifies group membership of renamed or deleted user entries. Default value: |
groupMemberAttribute |
No |
LDAP attribute that stores the member for non-POSIX static groups. Default value: |
accountObjectClasses |
No |
List of object classes required for a USER object. Default value: |
passwordAttribute |
No |
Name of the attribute to which the predefined PASSWORD attribute is written to. Default value: |
respectResourcePasswordPolicyChangeAfterReset |
No |
By default, this value is set to |
maintainLdapGroupMembership |
No |
Specifies whether the connector modifies group membership of renamed or deleted user entries. Default value: |
attributesToSynchronize |
No |
List of attributes to return whenever a SyncOp is run. Default value: |
readSchema |
No |
Specifies whether the schema must be read from the server. Default value: |
uidAttribute |
No |
LDAP attribute to which the predefined UID attribute must be mapped to. Default value: Note: If you are using ODSEE as the target system, then set the value of this parameter to |
enabledWhenNoAttribute |
No |
Defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry. Default value: |
accountSearchFilter |
No |
Search filter that any account needs to match in order to be returned. Default value: |
Bundle Name |
No |
Name of the connector bundle package. Default value: |
changeNumberAttribute |
No |
Attribute name used for changelog. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
removeLogEntryObjectClassFromFilter |
No |
Specifies whether the changelog filter contains a condition on the changelog objectclass. Default value: |
disabledRoleName |
No |
Name of the role that must be present in the entry when an account is disabled and that the enabledBaseOnRole is set to Sample value: |
changelogBaseDn |
No |
BaseDN where the connector is to find the changelog attribute value. Default value: |
accountUserNameAttribute |
No |
Attributes that contain the name of a USER object. Default value: |
enabledBasedOnRole |
No |
Specifies whether enabling or disabling a user must be controlled by a role instead of the enabledAttribute attribute. When you set the value of this entry to Default value: |
changelogUidAttribute |
No |
Name of the attribute that contains the uniqueId of the modified entry in the changelog. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
Any Incremental Recon Attribute Type |
No |
Indicates that any format of token is accepted during reconciliation. Default value: |
ldapGroupFilterBehavior |
No |
Specifies the behavior for an LDAP group filter. Default value: |
ldapGroupMembershipAttribute |
No |
Specifies the value for the LDAP group membership attribute. Default value: |
pwdMaxFailure |
No |
Indicates the number of consecutive failed bind attempts after which a user account is locked. If the value is 0 (zero), then the account is not locked due to failed bind attempts and the value of the password lockout policy is ignored. Default value: |
Pool Max Idle |
No |
Maximum number of idle objects in a pool. Default value: |
Pool Max Size |
No |
Maximum number of connections that the pool can create. Default value: |
Pool Max Wait |
No |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: |
Pool Min Evict Idle Time |
No |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: |
Pool Min Idle |
No |
Minimum number of idle objects in a pool. Default value: |
4.2.2 Advanced Settings Parameters for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
These are the configuration-related parameters that are applicable to an authoritative application. By default, the connector displays attribute values for an OUD target system. You can update these values for the ODSEE and LDAPv3-compliant directory server target systems, as specified in the table.
Table 4-3 Advanced Settings Parameters for an Authoritative Application for OUD, ODSEE, or an LDAPv3-Compliant Directory Server
Parameter | Mandatory? | Description |
---|---|---|
Bundle Name |
No |
Name of the connector bundle package. Default value: |
Bundle Version |
No |
Version of the connector bundle class. Default value: |
changeNumberAttribute |
No |
Attribute name used for changelog. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
objectClassesToSynchronize |
No |
List of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
changeLogBlockSize |
No |
Block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation. Default value: |
User Configuration Lookup |
No |
Name of the lookup definition that contains user-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of users. Do not modify this entry. Default value: |
enabledAttribute |
No |
Name of the attribute that is required to enable or disable accounts. Default value: Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to |
enabledWhenNoAttribute |
No |
Defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry. Default value: |
disabledValue |
No |
Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled. Default value: |
enabledValue |
No |
Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled. Default value: |
usePagedResultControl |
No |
Specifies whether simple paged search is preferred over VLV index search when both are available. Default value: |
Any Incremental Recon Attribute Type |
No |
Indicates that any format of token is accepted during reconciliation. Default value: |
Connector Name |
No |
Name of the connector class. Default value: |
uidAttribute |
No |
LDAP attribute to which the Uid must be mapped to. Default value: Note: If you are using ODSEE as the target system, then set the value of this parameter to |
pwdMaxFailure |
No |
Indicates the number of consecutive failed bind attempts after which a user account is locked. If this attribute is not present, or if the value is 0 (zero), then the account is not locked due to failed bind attempts, and the value of the password lockout policy is ignored. Default value: |
Pool Max Idle |
No |
Maximum number of idle objects in a pool. Default value: |
Pool Max Size |
No |
Maximum number of connections that the pool can create. Default value: |
Pool Max Wait |
No |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: |
Pool Min Evict Idle Time |
No |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: |
Pool Min Idle |
No |
Minimum number of idle objects in a pool. Default value: |
4.3 Attribute Mappings for OUD, ODSEE, and LDAPv3-Compliant Directory Server
The attribute mappings on the Schema page vary depending on whether you are creating a target application or an authoritative application.
4.3.1 Attribute Mappings for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.
LDAP User Account Attributes
Table 4-4 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and target system attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-4 Default Attribute Mappings for LDAP User Account
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|---|
User ID |
uid |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Title |
title |
String |
No |
Yes |
Yes |
No |
Not applicable |
First Name |
givenname |
String |
No |
Yes |
Yes |
No |
Not applicable |
Middle Name |
initials |
String |
No |
Yes |
Yes |
No |
Not applicable |
Last Name |
sn |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Common Name |
cn |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Department |
departmentnumber |
String |
No |
Yes |
Yes |
No |
Not applicable |
Location |
l |
String |
No |
Yes |
Yes |
No |
Not applicable |
Telephone |
telephonenumber |
String |
No |
Yes |
Yes |
No |
Not applicable |
|
|
String |
No |
Yes |
Yes |
No |
Not applicable |
Communication Lan |
preferredlanguage |
String |
No |
Yes |
Yes |
No |
Not applicable |
NsuniqueID |
__UID__ |
String |
No |
Yes |
Yes |
Yes |
Not applicable |
Container DN |
__parentDN__ |
String |
Yes |
No |
Yes |
No |
Not applicable |
Status |
__ENABLE__ |
String |
No |
No |
Yes |
No |
Not applicable |
Password |
__PASSWORD__ |
String |
No |
Yes |
No |
No |
Not applicable |
Name |
__NAME__ |
String |
No |
Yes |
No |
No |
Not applicable |
Login Disabled |
__ENABLED__ |
String |
No |
Yes |
No |
No |
Not applicable |
Figure 4-1 shows the default LDAP User account attribute mappings in a target application.
Figure 4-1 Default Attribute Mappings for an LDAP User Account in a Target Application
![Description of Figure 4-1 follows Description of Figure 4-1 follows](img/attr_mappings_target_ldap_user1.png)
Description of "Figure 4-1 Default Attribute Mappings for an LDAP User Account in a Target Application"
Group Entitlement Attributes
Table 4-5 lists the attribute mappings for Group entitlement between the process form fields in Oracle Identity Governance and target system attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-5 Default Attribute Mappings for Group Entitlement
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Group Name |
ldapGroups |
String |
No |
Yes |
Yes |
No |
Figure 4-2 shows the default Group entitlement attribute mapping.
Figure 4-2 Default Attribute Mappings for Group Entitlement
![Description of Figure 4-2 follows Description of Figure 4-2 follows](img/attr_mappings_target_ldap_group1.png)
Description of "Figure 4-2 Default Attribute Mappings for Group Entitlement"
Role Entitlement Attributes
Table 4-6 lists the attribute mappings for Role entitlement between the process form fields in Oracle Identity Governance and target system attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
Note:
Roles are not supported by the OUD and OpenLDAP target systems. Therefore, these attribute mappings for Role entitlement are applicable only to ODSEE and the LDAPv3-compliant directory server target systems that support Roles.If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-6 Default Attribute Mappings for Role Entitlement
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Role |
nsroledn |
String |
No |
Yes |
Yes |
No |
Figure 4-3 shows the default Role child attribute mapping.
Figure 4-3 Default Attribute Mappings for Role Entitlement
![Description of Figure 4-3 follows Description of Figure 4-3 follows](img/attr_mappings_target_ldap_role1.png)
Description of "Figure 4-3 Default Attribute Mappings for Role Entitlement"
4.3.2 Attribute Mappings for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
The Schema page for an authoritative application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system columns. The connector uses these mappings during reconciliation operations.
Table 4-7 lists the user-specific attribute mappings between the reconciliation fields in Oracle Identity Governance and target system columns. The table also lists the data type for a given attribute and specified whether it is a mandatory attribute for reconciliation.
If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
You may use the default schema that has been set for you or update and change it before continuing to the next step.
The Organization Name, Role, Xellerate Type, and Status identity attributes are mandatory fields on the OIG User form. They cannot be left blank during reconciliation. The target attribute mappings for these identity attributes are empty by default because there are no corresponding columns in the target system. Therefore, the connector provides default values (as listed in the “Default Value for Identity Display Name” column of Table 4-7) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.
Table 4-7 LDAP Trusted User Schema Attributes
Identity Display Name | Target Attribute | Data Type | Mandatory Reconciliation Property? | Recon Field? | Default Value for Identity Display Name |
---|---|---|---|---|---|
|
|
String |
No |
Yes |
NA |
Role |
NA |
String |
No |
Yes |
Full-Time |
First Name |
givenname |
String |
No |
Yes |
NA |
Last Name |
sn |
String |
No |
Yes |
NA |
Middle Name |
initials |
String |
No |
Yes |
NA |
NsuniqueID |
__UID__ |
String |
No |
Yes |
NA |
Organization Name |
NA |
String |
No |
Yes |
Xellerate Users |
Status |
__ENABLE__ |
String |
No |
Yes |
NA |
User Login |
uid |
String |
No |
Yes |
NA |
Xellerate Type |
NA |
String |
No |
Yes |
End-User |
Figure 4-4 shows the default LDAP Trusted user account attribute mappings in an authoritative application.
Figure 4-4 Default Attribute Mappings for LDAP Trusted User Account in an Authoritative Application
![Description of Figure 4-4 follows Description of Figure 4-4 follows](img/attr_mappings_ldap_trusted_user1.png)
Description of "Figure 4-4 Default Attribute Mappings for LDAP Trusted User Account in an Authoritative Application"
4.4 Correlation Rules for OUD, ODSEE, and LDAPv3-Compliant Directory Server
Learn about the predefined rules, responses and situations for target and authoritative applications. The connector use these rules and responses for performing reconciliation.
4.4.1 Correlation Rules for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
When you create a target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.
Predefined Identity Rules
By default, the connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 4-8 lists the default simple correlation rule for the connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-8 Predefined Identity Correlation Rule for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
uid | Equals | User Login | No |
__UID__ | Equals | NsuniqueID | No |
-
uid is the unique login name of a user.
-
User Login is the field on the OIG User form.
-
__UID__ is an attribute on the target system that uniquely identifies the user account.
-
NsuniqueID is the field on the OIG User form.
Figure 4-5 Simple Correlation Rule for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
![Description of Figure 4-5 follows Description of Figure 4-5 follows](img/cor_rule_ldap_target.png)
Description of "Figure 4-5 Simple Correlation Rule for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"
Predefined Situations and Responses
The connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 4-9 lists the default situations and responses for the application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-9 Predefined Situations and Responses for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
Situation | Response |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Figure 4-6 shows the situations and responses that the connector provides by default when you create a target application for OUD, ODSEE, and LDAPv3-compliant directory server.
Figure 4-6 Predefined Situations and Responses for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
![Description of Figure 4-6 follows Description of Figure 4-6 follows](img/pred_situations_responses_ldap_target1.png)
Description of "Figure 4-6 Predefined Situations and Responses for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"
4.4.2 Correlation Rules for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
When you create an authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.
Predefined Identity Correlation Rules
By default, the connector provides a simple correlation rule when you create an authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 4-10 lists the default simple correlation rule for an authoritative application. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-10 Predefined Identity Correlation Rule for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
uid |
Equals |
User Login |
No |
-
uid is the unique login name of a user.
-
User Login is the field on the OIG User form.
Figure 4-7 shows the simple correlation rule when you create an authoritative application for OUD, ODSEE, and LDAPv3-compliant directory server.
Figure 4-7 Simple Correlation Rule for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
![Description of Figure 4-7 follows Description of Figure 4-7 follows](img/cor_rule_ldap_trusted.png)
Description of "Figure 4-7 Simple Correlation Rule for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"
Predefined Situations and Responses
The connector provides a default set of situations and responses when you create an authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 4-11 lists the default situations and responses. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 4-11 Predefined Situations and Responses for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
Situation | Response |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Figure 4-8 shows the situations and responses that the connector provides by default when you create an authoritative application for OUD, ODSEE, and LDAPv3-compliant directory server.
Figure 4-8 Predefined Situations and Responses for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
![Description of Figure 4-8 follows Description of Figure 4-8 follows](img/pred_situations_responses_ldap_trusted1.png)
Description of "Figure 4-8 Predefined Situations and Responses for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"
4.5 Reconciliation Jobs for OUD, ODSEE, and LDAPv3-Compliant Directory Server
Learn about reconciliation jobs that are automatically created in Oracle Identity Governance after you create a target or an authoritative application for OUD, ODSEE, and LDAPv3-compliant directory server.
4.5.1 Reconciliation Jobs for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.
You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
LDAP Connector User Search Reconciliation Job
Use the LDAP Connector User Search Reconciliation job to perform full reconciliation, which involves reconciling all user records from a target application into Oracle Identity Governance. If your target system supports modifyTimestamp, then you can use this reconciliation job to perform incremental reconciliation.
Table 4-12 Parameters of the LDAP Connector User Search Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Filter |
Enter the expression for filtering records that the scheduled job must reconcile. Sample value: For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Incremental Recon Attribute |
Name of the target system column that holds the timestamp at which the user record is modified. Default value: Do not change the default value. |
Scheduled Task Name |
Name of the scheduled task Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute. |
Latest Token |
The parameter holds the value of the target system column that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this attribute is empty. Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. |
LDAP Connector User Sync Reconciliation Job
If your target system supports changelog, use the LDAP Connector User Sync Reconciliation job to perform incremental reconciliation. During incremental reconciliation, only the records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
Table 4-13 Parameters of the LDAP Connector User Sync Reconciliation Job
Parameter | Value |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
Type of object you want to reconcile Default value: |
Scheduled Task Name |
Name of the scheduled task Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute. |
Sync Token |
Time stamp at which the last reconciliation run started Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute. If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation). |
LDAP Connector User Search Delete Reconciliation Job
Use the LDAP Connector User Search Delete Reconciliation job to reconcile data about deleted user accounts from a target application.
Table 4-14 Parameters of the LDAP Connector User Search Delete Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Reconciliation Jobs for Entitlements
The following jobs are available for reconciling entitlements:
-
LDAP Connector Role Lookup Reconciliation
-
LDAP Connector Group Lookup Reconciliation
-
LDAP Connector OU Lookup Reconciliation
The parameters for all the reconciliation jobs are the same.
Table 4-15 Parameters of the Reconciliation Jobs for Entitlements
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Note: Do not modify this value. |
Filter |
Enter the search filter for fetching user records from the target system during a reconciliation run. The following is a sample value for the LDAP Connector Group Lookup Reconciliation job: |
Object Type |
Enter the type of object whose values must be synchronized. Depending on the reconciliation job you are using, the default values are as follows:
Note: Do not change the value of this attribute. |
Lookup Name |
This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows:
|
Decode Attribute |
Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the reconciliation job you are using, the default values are as follows:
|
Code Key Attribute |
Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
4.5.2 Reconciliation Jobs for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create an authoritative application for your target system.
You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
LDAP Connector Trusted User Reconciliation Job
Use the LDAP Connector Trusted User Reconciliation job to perform full reconciliation, which involves reconciling all user records created or modified directly on an authoritative application into Oracle Identity Governance. The connector uses this data to create or update the corresponding OIG Users. If your target system supports modifyTimestamp, then you can use this reconciliation job to perform incremental reconciliation.
Table 4-16 Parameters of the LDAP Connector Trusted User Reconciliation Job
Parameter | Value |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Filter |
Enter the expression for filtering records that the scheduled job must reconcile. Sample value: For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Incremental Recon Attribute |
Name of the target system column that holds the timestamp at which the user record is modified. Default value: Do not change the default value. |
Scheduled Task Name |
Name of the scheduled task Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute. |
Latest Token |
The parameter holds the value of the target system column that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this attribute is empty. Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. |
LDAP Connector Trusted User Delete Reconciliation Job
The LDAP Connector Trusted User Delete Reconciliation job is used to reconcile data about deleted user accounts from an authoritative application.
Note:
Before running this reconciliation job, ensure that all users on the target system are assigned a unique value for theUser ID
target attribute otherwise unexpected errors might occur.
Table 4-17 Parameters of the LDAP Connector Trusted User Delete Reconciliation Job
Parameter | Value |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
Type of object you want to reconcile. Default value: |