1. Configuring the Oracle Internet Directory Application
  2. Configuring the Oracle Internet Directory Connector for OUD, ODSEE, and LDAPv3-Compliant Directory Server

4 Configuring the Oracle Internet Directory Connector for OUD, ODSEE, and LDAPv3-Compliant Directory Server

While creating an application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system attributes, predefined correlation rules, situations and responses, and reconciliation jobs.

4.1 Basic Configuration Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server

These are the connection-related parameters that Oracle Identity Governance requires to connect to OUD, ODSEE, or an LDAPv3-compliant directory server. These parameters are common for both target applications and authoritative applications.

Table 4-1 Basic Configuration Parameters for OUD, ODSEE, or an LDAPv3-Compliant Directory Server

Parameter Mandatory? Description

baseContexts

Yes

Enter the base contexts for operations on the target system.

Sample value: dc=example,dc=com

Note: In a multilevel base context, each base context must be specified within double quotes (") and separated by a comma (,).

For example: "dc=example,dc=com","dc=mydc,dc=com"

principal

Yes

Enter the bind DN for performing operations on the target system.

Sample value: cn=Directory Manager

Note: If you are using OpenLDAP as the target system, then set the value of this parameter in the following format:

user DN,baseContexts

Sample value: cn=admin,dc=example,dc=com

In this sample value, cn=admin is the user DN value and dc=example,dc=com is the baseContexts value.

credentials

Yes

Enter the bind password associated with the bind DN.

host

Yes

Enter the host name or the IP address of the target system.

Sample value: myhost or 192.0.2.10

port

Yes

Enter the port number to connect to the target system.

Sample value: 1389

Connector Server Name

No

By default, this field is blank. If you use a Connector Server, then enter the name of Connector Server IT resource.

failover

No

Enter the complete URL of LDAP backup server or servers that the connector must switch to if the primary LDAP server fails or becomes unavailable.

The URL is a fully qualified host name or an IP address in the following format:

ldap://host:port

The following example shows an IP address for one backup LDAP server: ldap://172.20.55.191:389

If you specify more than one URL, each URL must be enclosed in double quotes (") and separated by a comma (,). For example:

"ldap://172.20.55.191:389","ldap://172.20.55.171:387"

ssl

No

This parameter specifies whether communication with the target system must be secured using SSL.

By default, this field is blank. Enter true if you want to configure SSL between Oracle Identity Governance and the Connector Server or between Oracle Identity Governance and the target system. Otherwise, enter false.

Set the UseSSL IT Resource parameter for the Connector Server to true, as described in Configuring the IT Resource for the Connector Server.

To configure SSL, see Configuring the Java Connector Server with SSL for Oracle Identity Governance in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.2 Advanced Settings Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server

These are the configuration-related parameters that the connector uses during reconciliation and provisioning operations. These parameters vary depending on whether you are creating a target application or an authoritative application.

4.2.1 Advanced Settings Parameters for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

These are the configuration-related parameters that are applicable to a target application. By default, the connector displays attribute values for an OUD target system. You can update these values for the ODSEE and LDAPv3-compliant directory server target systems, as specified in the table.

Table 4-2 Advanced Settings Parameters for a Target Application for OUD, ODSEE, or an LDAPv3-Compliant Directory Server

Parameter Mandatory? Description

disabledValue

No

Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled.

Default value: true

blockSize

No

Block size for simple paged results and VLV index searches.

Default value: 100

Bundle Version

No

Version of the connector bundle class.

Default value: 12.3.0

Connector Name

No

Name of the connector class.

Default value: org.identityconnectors.ldap.LdapConnector

standardChangelog

No

Flag that indicates whether the connector must access the changelog attribute by using the standard format or a specific mechanism during a SyncOp operation.

Note: If you are using OUD as the target system, then set the value of this parameter to false. For ODSEE or an LDAPv3-compliant directory server, set the value of this parameter to true.

enabledAttribute

No

Name of the attribute that is required to enable or disable accounts.

Default value: ds-pwp-account-disabled

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to nsaccountlock.

synchronizeWithModifyTimestamps

No

Specifies whether the connector must use the modify timestamps attribute instead of the changelog attribute during a SyncOp operation.

Default value: false

vlvSortAttribute

No

Attribute used as the sort key for the VLV index.

Default value: uid

enabledValue

No

Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled.

Default value: false

accountSynchronizationFilter

No

Filter for all of the entries returned during the SyncOp operation that must match.

Default value: objectClass=*

filterWithOrInsteadOfAnd

No

Specifies whether the changelog filter is built using an OR or AND filter. The default value is false.

Enter true if the changelog filter is built using an OR filter instead of AND filter.

An OR filter is in the following format:

(|(changeNumber=1) (changeNumber=2) . . . (changeNumber=xxx))

An AND filter is of the following format:

(&(changeNumber>=0) (changeNumber<=xxx))

usePagedResultControl

No

Specifies whether simple paged search is preferred over VLV index search when both are available.

Default value: true

objectClassesToSynchronize

No

This entry holds the list of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes.

Default value: "inetOrgPerson","groupOfNames","groupOfUniqueNames","organizationalUnit"

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to "inetOrgPerson","groupOfNames","groupOfUniqueNames","nsRoleDefinition","organizationalUnit".

changeLogBlockSize

No

Block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation.

Default value: 100

maintainPosixGroupMembership

No

Specifies whether the connector modifies group membership of renamed or deleted user entries.

Default value: false

groupMemberAttribute

No

LDAP attribute that stores the member for non-POSIX static groups.

Default value: uniqueMember

accountObjectClasses

No

List of object classes required for a USER object.

Default value: "top","person","organizationalPerson","inetOrgPerson"

passwordAttribute

No

Name of the attribute to which the predefined PASSWORD attribute is written to.

Default value: userPassword

respectResourcePasswordPolicyChangeAfterReset

No

By default, this value is set to true. Do not modify the value if the connector throws exceptions (for example, PasswordExpiredException) appropriately when binding check for the Password Expired control and Password Policy control. Otherwise, enter false.

maintainLdapGroupMembership

No

Specifies whether the connector modifies group membership of renamed or deleted user entries.

Default value: true

attributesToSynchronize

No

List of attributes to return whenever a SyncOp is run.

Default value: "cn","uid"

readSchema

No

Specifies whether the schema must be read from the server.

Default value: true

uidAttribute

No

LDAP attribute to which the predefined UID attribute must be mapped to.

Default value: entryUUID

Note: If you are using ODSEE as the target system, then set the value of this parameter to nsuniqueid. For OpenLDAP server, set the value of this parameter to entryUUID. For other LDAPv3-compliant directory servers, set the value based on the directory server you are using.

enabledWhenNoAttribute

No

Defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry.

Default value: true

accountSearchFilter

No

Search filter that any account needs to match in order to be returned.

Default value: objectClass=*

Bundle Name

No

Name of the connector bundle package.

Default value: org.identityconnectors.ldap

changeNumberAttribute

No

Attribute name used for changelog.

Default value: changelogcookie

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to changeNumber.

removeLogEntryObjectClassFromFilter

No

Specifies whether the changelog filter contains a condition on the changelog objectclass.

Default value: true

disabledRoleName

No

Name of the role that must be present in the entry when an account is disabled and that the enabledBaseOnRole is set to true.

Sample value: cn=nsmanageddisabledrole,dc=example,dc=com

changelogBaseDn

No

BaseDN where the connector is to find the changelog attribute value.

Default value: cn=changelog

accountUserNameAttribute

No

Attributes that contain the name of a USER object.

Default value: cn

enabledBasedOnRole

No

Specifies whether enabling or disabling a user must be controlled by a role instead of the enabledAttribute attribute.

When you set the value of this entry to true, it takes precedence over all the other enabled or disabled-related flags.

Default value: false

changelogUidAttribute

No

Name of the attribute that contains the uniqueId of the modified entry in the changelog.

Default value: targetEntryUUID

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to targetuniqueid.

Any Incremental Recon Attribute Type

No

Indicates that any format of token is accepted during reconciliation.

Default value: true

ldapGroupFilterBehavior

No

Specifies the behavior for an LDAP group filter.

Default value: accept

ldapGroupMembershipAttribute

No

Specifies the value for the LDAP group membership attribute.

Default value: ismemberof

pwdMaxFailure

No

Indicates the number of consecutive failed bind attempts after which a user account is locked. If the value is 0 (zero), then the account is not locked due to failed bind attempts and the value of the password lockout policy is ignored.

Default value: 10

Pool Max Idle

No

Maximum number of idle objects in a pool.

Default value: 10

Pool Max Size

No

Maximum number of connections that the pool can create.

Default value: 10

Pool Max Wait

No

Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation.

Default value: 150000

Pool Min Evict Idle Time

No

Minimum time, in milliseconds, the connector must wait before evicting an idle object.

Default value: 120000

Pool Min Idle

No

Minimum number of idle objects in a pool.

Default value: 1

4.2.2 Advanced Settings Parameters for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

These are the configuration-related parameters that are applicable to an authoritative application. By default, the connector displays attribute values for an OUD target system. You can update these values for the ODSEE and LDAPv3-compliant directory server target systems, as specified in the table.

Table 4-3 Advanced Settings Parameters for an Authoritative Application for OUD, ODSEE, or an LDAPv3-Compliant Directory Server

Parameter Mandatory? Description

Bundle Name

No

Name of the connector bundle package.

Default value: org.identityconnectors.ldap

Bundle Version

No

Version of the connector bundle class.

Default value: 12.3.0

changeNumberAttribute

No

Attribute name used for changelog.

Default value: changelogcookie

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to changeNumber.

objectClassesToSynchronize

No

List of object classes to be synchronized. Any synchronized entry in order to be returned must have at least one object class from this list. If this list of object classes is empty or the code key is missing, then no filtering is performed on the object classes.

Default value: "inetOrgPerson","groupOfNames","groupOfUniqueNames","organizationalUnit"

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to "inetOrgPerson","groupOfNames","organizationalUnit".

changeLogBlockSize

No

Block size for simple paged results and VLV index searches when reading changelog during a SyncOp operation.

Default value: 100

User Configuration Lookup

No

Name of the lookup definition that contains user-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of users. Do not modify this entry.

Default value: Lookup.LDAP.UM.Configuration.Trusted

enabledAttribute

No

Name of the attribute that is required to enable or disable accounts.

Default value: ds-pwp-account-disabled

Note: If you are using ODSEE or an LDAPv3-compliant directory server as the target system, then set the value of this parameter to nsaccountlock.

enabledWhenNoAttribute

No

Defines if the status must be enabled or disabled when the property defined in enabledAttribute is not present in the entry.

Default value: true

disabledValue

No

Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is disabled.

Default value: true

enabledValue

No

Specifies the value to use for the attribute defined by the enabledAttribute property whenever an account is enabled.

Default value: false

usePagedResultControl

No

Specifies whether simple paged search is preferred over VLV index search when both are available.

Default value: true

Any Incremental Recon Attribute Type

No

Indicates that any format of token is accepted during reconciliation.

Default value: true

Connector Name

No

Name of the connector class.

Default value: org.identityconnectors.ldap.LdapConnector

uidAttribute

No

LDAP attribute to which the Uid must be mapped to.

Default value: entryUUID

Note: If you are using ODSEE as the target system, then set the value of this parameter to nsuniqueid. For OpenLDAP server, set the value of this parameter to entryUUID. For other LDAPv3-compliant directory servers, set the value based on the directory server you are using.

pwdMaxFailure

No

Indicates the number of consecutive failed bind attempts after which a user account is locked. If this attribute is not present, or if the value is 0 (zero), then the account is not locked due to failed bind attempts, and the value of the password lockout policy is ignored.

Default value: 10

Pool Max Idle

No

Maximum number of idle objects in a pool.

Default value: 10

Pool Max Size

No

Maximum number of connections that the pool can create.

Default value: 10

Pool Max Wait

No

Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation.

Default value: 150000

Pool Min Evict Idle Time

No

Minimum time, in milliseconds, the connector must wait before evicting an idle object.

Default value: 120000

Pool Min Idle

No

Minimum number of idle objects in a pool.

Default value: 1

4.3 Attribute Mappings for OUD, ODSEE, and LDAPv3-Compliant Directory Server

The attribute mappings on the Schema page vary depending on whether you are creating a target application or an authoritative application.

4.3.1 Attribute Mappings for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

LDAP User Account Attributes

Table 4-4 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and target system attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-4 Default Attribute Mappings for LDAP User Account

Display Name Target Attribute Data Type Mandatory Provisioning Property? Provision Field? Recon Field? Key Field? Case Insensitive?

User ID

uid

String

Yes

Yes

Yes

No

Not applicable

Title

title

String

No

Yes

Yes

No

Not applicable

First Name

givenname

String

No

Yes

Yes

No

Not applicable

Middle Name

initials

String

No

Yes

Yes

No

Not applicable

Last Name

sn

String

Yes

Yes

Yes

No

Not applicable

Common Name

cn

String

Yes

Yes

Yes

No

Not applicable

Department

departmentnumber

String

No

Yes

Yes

No

Not applicable

Location

l

String

No

Yes

Yes

No

Not applicable

Telephone

telephonenumber

String

No

Yes

Yes

No

Not applicable

Email

mail

String

No

Yes

Yes

No

Not applicable

Communication Lan

preferredlanguage

String

No

Yes

Yes

No

Not applicable

NsuniqueID

__UID__

String

No

Yes

Yes

Yes

Not applicable

Container DN

__parentDN__

String

Yes

No

Yes

No

Not applicable

Status

__ENABLE__

String

No

No

Yes

No

Not applicable

Password

__PASSWORD__

String

No

Yes

No

No

Not applicable

Name

__NAME__

String

No

Yes

No

No

Not applicable

Login Disabled

__ENABLED__

String

No

Yes

No

No

Not applicable

Figure 4-1 shows the default LDAP User account attribute mappings in a target application.

Figure 4-1 Default Attribute Mappings for an LDAP User Account in a Target Application

Description of Figure 4-1 follows
Description of "Figure 4-1 Default Attribute Mappings for an LDAP User Account in a Target Application"

Group Entitlement Attributes

Table 4-5 lists the attribute mappings for Group entitlement between the process form fields in Oracle Identity Governance and target system attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-5 Default Attribute Mappings for Group Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field Key Field? Case Insensitive?

Group Name

ldapGroups

String

No

Yes

Yes

No

Figure 4-2 shows the default Group entitlement attribute mapping.

Figure 4-2 Default Attribute Mappings for Group Entitlement

Description of Figure 4-2 follows
Description of "Figure 4-2 Default Attribute Mappings for Group Entitlement"

Role Entitlement Attributes

Table 4-6 lists the attribute mappings for Role entitlement between the process form fields in Oracle Identity Governance and target system attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Note:

Roles are not supported by the OUD and OpenLDAP target systems. Therefore, these attribute mappings for Role entitlement are applicable only to ODSEE and the LDAPv3-compliant directory server target systems that support Roles.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-6 Default Attribute Mappings for Role Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field Key Field? Case Insensitive?

Role

nsroledn

String

No

Yes

Yes

No

Figure 4-3 shows the default Role child attribute mapping.

Figure 4-3 Default Attribute Mappings for Role Entitlement

Description of Figure 4-3 follows
Description of "Figure 4-3 Default Attribute Mappings for Role Entitlement"

4.3.2 Attribute Mappings for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

The Schema page for an authoritative application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system columns. The connector uses these mappings during reconciliation operations.

Table 4-7 lists the user-specific attribute mappings between the reconciliation fields in Oracle Identity Governance and target system columns. The table also lists the data type for a given attribute and specified whether it is a mandatory attribute for reconciliation.

If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

You may use the default schema that has been set for you or update and change it before continuing to the next step.

The Organization Name, Role, Xellerate Type, and Status identity attributes are mandatory fields on the OIG User form. They cannot be left blank during reconciliation. The target attribute mappings for these identity attributes are empty by default because there are no corresponding columns in the target system. Therefore, the connector provides default values (as listed in the “Default Value for Identity Display Name” column of Table 4-7) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.

Table 4-7 LDAP Trusted User Schema Attributes

Identity Display Name Target Attribute Data Type Mandatory Reconciliation Property? Recon Field? Default Value for Identity Display Name

Email

mail

String

No

Yes

NA

Role

NA

String

No

Yes

Full-Time

First Name

givenname

String

No

Yes

NA

Last Name

sn

String

No

Yes

NA

Middle Name

initials

String

No

Yes

NA

NsuniqueID

__UID__

String

No

Yes

NA

Organization Name

NA

String

No

Yes

Xellerate Users

Status

__ENABLE__

String

No

Yes

NA

User Login

uid

String

No

Yes

NA

Xellerate Type

NA

String

No

Yes

End-User

Figure 4-4 shows the default LDAP Trusted user account attribute mappings in an authoritative application.

Figure 4-4 Default Attribute Mappings for LDAP Trusted User Account in an Authoritative Application

Description of Figure 4-4 follows
Description of "Figure 4-4 Default Attribute Mappings for LDAP Trusted User Account in an Authoritative Application"

4.4 Correlation Rules for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Learn about the predefined rules, responses and situations for target and authoritative applications. The connector use these rules and responses for performing reconciliation.

4.4.1 Correlation Rules for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

When you create a target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Rules

By default, the connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 4-8 lists the default simple correlation rule for the connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-8 Predefined Identity Correlation Rule for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Target Attribute Element Operator Identity Attribute Case Sensitive?
uid Equals User Login No
__UID__ Equals NsuniqueID No
In first identity rule:

  • uid is the unique login name of a user.

  • User Login is the field on the OIG User form.

In second identity rule:

  • __UID__ is an attribute on the target system that uniquely identifies the user account.

  • NsuniqueID is the field on the OIG User form.

Figure 4-5 shows the simple correlation rule that the connector uses when you create a target application for OUD, ODSEE, and LDAPv3-compliant directory server.

Figure 4-5 Simple Correlation Rule for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Description of Figure 4-5 follows
Description of "Figure 4-5 Simple Correlation Rule for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"

Predefined Situations and Responses

The connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 4-9 lists the default situations and responses for the application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-9 Predefined Situations and Responses for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Situation Response

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 4-6 shows the situations and responses that the connector provides by default when you create a target application for OUD, ODSEE, and LDAPv3-compliant directory server.

Figure 4-6 Predefined Situations and Responses for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Description of Figure 4-6 follows
Description of "Figure 4-6 Predefined Situations and Responses for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"

4.4.2 Correlation Rules for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

When you create an authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.

Predefined Identity Correlation Rules

By default, the connector provides a simple correlation rule when you create an authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 4-10 lists the default simple correlation rule for an authoritative application. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-10 Predefined Identity Correlation Rule for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Target Attribute Element Operator Identity Attribute Case Sensitive?

uid

Equals

User Login

No
In this identity rule:

  • uid is the unique login name of a user.

  • User Login is the field on the OIG User form.

Figure 4-7 shows the simple correlation rule when you create an authoritative application for OUD, ODSEE, and LDAPv3-compliant directory server.

Figure 4-7 Simple Correlation Rule for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Description of Figure 4-7 follows
Description of "Figure 4-7 Simple Correlation Rule for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"

Predefined Situations and Responses

The connector provides a default set of situations and responses when you create an authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 4-11 lists the default situations and responses. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 4-11 Predefined Situations and Responses for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Situation Response

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 4-8 shows the situations and responses that the connector provides by default when you create an authoritative application for OUD, ODSEE, and LDAPv3-compliant directory server.

Figure 4-8 Predefined Situations and Responses for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Description of Figure 4-8 follows
Description of "Figure 4-8 Predefined Situations and Responses for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server"

4.5 Reconciliation Jobs for OUD, ODSEE, and LDAPv3-Compliant Directory Server

Learn about reconciliation jobs that are automatically created in Oracle Identity Governance after you create a target or an authoritative application for OUD, ODSEE, and LDAPv3-compliant directory server.

4.5.1 Reconciliation Jobs for a Target Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

LDAP Connector User Search Reconciliation Job

Use the LDAP Connector User Search Reconciliation job to perform full reconciliation, which involves reconciling all user records from a target application into Oracle Identity Governance. If your target system supports modifyTimestamp, then you can use this reconciliation job to perform incremental reconciliation.

Table 4-12 Parameters of the LDAP Connector User Search Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: equalTo('__UID__','SEPT12USER1')

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

Object Type

This attribute holds the name of the object type for the reconciliation run.

Default value: User

Do not change the default value.

Incremental Recon Attribute

Name of the target system column that holds the timestamp at which the user record is modified.

Default value: modifyTimestamp

Do not change the default value.

Scheduled Task Name

Name of the scheduled task

Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute.

Latest Token

The parameter holds the value of the target system column that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this attribute is empty.

Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.

LDAP Connector User Sync Reconciliation Job

If your target system supports changelog, use the LDAP Connector User Sync Reconciliation job to perform incremental reconciliation. During incremental reconciliation, only the records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.

Table 4-13 Parameters of the LDAP Connector User Sync Reconciliation Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

Type of object you want to reconcile

Default value: User

Scheduled Task Name

Name of the scheduled task

Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute.

Sync Token

Time stamp at which the last reconciliation run started

Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute.

If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation).

LDAP Connector User Search Delete Reconciliation Job

Use the LDAP Connector User Search Delete Reconciliation job to reconcile data about deleted user accounts from a target application.

Table 4-14 Parameters of the LDAP Connector User Search Delete Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

This attribute holds the name of the object type for the reconciliation run.

Default value: User

Do not change the default value.

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

  • LDAP Connector Role Lookup Reconciliation

  • LDAP Connector Group Lookup Reconciliation

  • LDAP Connector OU Lookup Reconciliation

The parameters for all the reconciliation jobs are the same.

Table 4-15 Parameters of the Reconciliation Jobs for Entitlements

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Note: Do not modify this value.

Filter

Enter the search filter for fetching user records from the target system during a reconciliation run.

The following is a sample value for the LDAP Connector Group Lookup Reconciliation job: containsAllValues('ldapGroups','cn=grp1,ou=groups,dc=example,dc=com')

Object Type

Enter the type of object whose values must be synchronized.

Depending on the reconciliation job you are using, the default values are as follows:

  • For LDAP Connector Role Lookup Reconciliation: Role

  • For LDAP Connector Group Lookup Reconciliation: Group

  • For LDAP Connector OU Lookup Reconciliation: OU

Note: Do not change the value of this attribute.

Lookup Name

This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched.

Depending on the reconciliation job you are using, the default values are as follows:

  • For LDAP Connector Role Lookup Reconciliation: Lookup.LDAP.Role

  • For LDAP Connector Group Lookup Reconciliation: Lookup.LDAP.Group

  • For LDAP Connector OU Lookup Reconciliation: Lookup.LDAP.Organization

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Depending on the reconciliation job you are using, the default values are as follows:

  • For LDAP Connector Role Lookup Reconciliation and LDAP Connector Group Lookup Reconciliation: cn

  • For LDAP Connector OU Lookup Reconciliation: ou

Code Key Attribute

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: dn

Note: Do not change the value of this attribute.

4.5.2 Reconciliation Jobs for an Authoritative Application for OUD, ODSEE, and LDAPv3-Compliant Directory Server

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create an authoritative application for your target system.

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

LDAP Connector Trusted User Reconciliation Job

Use the LDAP Connector Trusted User Reconciliation job to perform full reconciliation, which involves reconciling all user records created or modified directly on an authoritative application into Oracle Identity Governance. The connector uses this data to create or update the corresponding OIG Users. If your target system supports modifyTimestamp, then you can use this reconciliation job to perform incremental reconciliation.

Table 4-16 Parameters of the LDAP Connector Trusted User Reconciliation Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: equalTo('__UID__','SEPT12USER1')

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

Object Type

This attribute holds the name of the object type for the reconciliation run.

Default value: User

Do not change the default value.

Incremental Recon Attribute

Name of the target system column that holds the timestamp at which the user record is modified.

Default value: modifyTimestamp

Do not change the default value.

Scheduled Task Name

Name of the scheduled task

Note: For the scheduled task shipped with this connector, you must not change the value of this attribute. However, if you create a copy of the task, then you can enter the unique name for that scheduled task as the value of this attribute.

Latest Token

The parameter holds the value of the target system column that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this attribute is empty.

Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.

LDAP Connector Trusted User Delete Reconciliation Job

The LDAP Connector Trusted User Delete Reconciliation job is used to reconcile data about deleted user accounts from an authoritative application.

Note:

Before running this reconciliation job, ensure that all users on the target system are assigned a unique value for the User ID target attribute otherwise unexpected errors might occur.

Table 4-17 Parameters of the LDAP Connector Trusted User Delete Reconciliation Job

Parameter Value

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

Type of object you want to reconcile.

Default value: User