Using the Oracle Internet Directory Connector

6 Using the Oracle Internet Directory Connector

You can use the Oracle Internet Directory connector for performing reconciliation and provisioning operations after configuring your application to meet your requirements.

6.1 Guidelines on Using the Connector

These are the guidelines that you must apply while configuring reconciliation, performing provisioning operations, and using the connector for dynamic or virtual static groups.

6.1.1 Guidelines on Configuring Reconciliation

These are the guidelines that you must apply while configuring reconciliation.

Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled jobs for lookup field synchronization must be run before user reconciliation runs.
The scheduled job for user reconciliation must be run before the scheduled job for reconciliation of deleted user data.
There is no support for group entities in Oracle Identity Governance. Therefore, apply the following guidelines before you run the scheduled job for groups reconciliation:
- If you are using the default connector configuration, for every group in the target system, create a corresponding organizational unit (with the same group name) in Oracle Identity Governance. This ensures that all groups from the target system are reconciled into their newly created organizational units, respectively.
- You can also configure the connector to reconcile groups under one organization. See Reconciling OID, OUD, and ODSEE Groups Under One Organization in Oracle Identity Governance.
For OUD target system, the OUD changelog is based on the replication database. By default, the replication keeps changelog entries for only 100 hours. The replication purge delay must be tuned based on your specific requirements. The database size on disk will vary accordingly. For more information, see the changelog documentation for the OUD target system.
Reconciliation of roles is supported only for ODSEE target system.
Run the User Search Reconciliation scheduled job, if only changes with regard to group membership are made to a user. This is because neither the changelog nor modifiedTimestamp attribute is updated. Therefore, performing full reconciliation by running the User Search Reconciliation scheduled job should reconcile such changes.
If you are reconciling a large number of records for an OID target system, then you must specify values for the following advanced settings parameters to optimize performance:
- For target resource configuration
  
  Change or increase the values of the blockSize and changeLogBlockSize parameters to suit the requirements of your environment.
  
  Specify values for the readTimeout and connectTimeout parameters. If these parameters are not available in the Advanced Settings section, then you can manually add these parameters by updating the xml/OID-target-template.xml file as described in Configuring the Connector for LDAP Operation Timeouts.
- For trusted source configuration
  
  Set the value of the usePagedResultControl parameter to true.

6.1.2 Guidelines on Performing Provisioning Operations

These are the guidelines that you must apply while performing provisioning operations.

Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before provisioning operations.
If you want to provision a User, Group, Role, or an Organizational Unit directly under base context, then set the baseContexts basic configuration parameter to the base context name.

Sample value: dc=example,dc=com
On the Oracle Internet Directory target system, the Manager Name field accepts only DN values. Therefore, when you set or modify the Manager Name field in Oracle Identity Governance, you must enter the DN value.

For example: cn=abc,ou=lmn,dc=corp,dc=com
Provisioning of roles is supported only for ODSEE target system.
You perform Group provisioning in Oracle Identity Governance by provisioning the LDAP Group resource object to the Oracle Identity Governance organization. The connector uses groupOfUniqueNames as the object class for groups.
You perform Organizational unit provisioning in Oracle Identity Governance by provisioning the LDAP Organisation Unit resource object to the Oracle Identity Governance organization. The connector uses the organizationalUnit object class for organizational unit provisioning.

6.1.3 Guidelines on Using the Connector for Dynamic and Virtual Static Groups

This connector does not support dynamic and virtual static groups in LDAP, by default. If you want to use the connector for dynamic or virtual static groups, then you must apply these guidelines.

Ensure referential integrity in OUD is enabled.
Set the value of the maintainLdapGroupMembership advanced settings parameter to false.

6.2 Configuring Reconciliation

Reconciliation involves duplicating in Oracle Identity Governance the creation of and modifications to user accounts on the target system.

This section provides details on the following topics related to configuring reconciliation:

Note:

Consider this scenario. You provision a user to an organization (org1) and then move the user to a second organization (org2). You run Trusted Reconciliation and Target User Sync reconciliation. As result, two resources are attached to the user: revoked and provisioned.

This behavior is normal for the connector. After moving the user to org2, the target directory considers the user in org1 to be deleted (revoked) even though the user still exists in org1. However, in org2 the user also exists and is considered to be provisioned.

6.2.1 Performing Full and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. During incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.

After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.

Full reconciliation: To perform a full reconciliation run, ensure that a value is not specified for the Filter and Latest Token attributes of the search reconciliation scheduled job for users, groups, or roles.

Incremental reconciliation: If the target system supports changelog, Sync reconciliation can be used for performing incremental reconciliation. To perform an incremental reconciliation run, specify a value for the Sync Token attribute in the sync reconciliation scheduled job for users, groups, or roles. From the next run onward, only records created or modified after the value in the Sync Token attribute are considered for reconciliation.

Incremental reconciliation can also be performed by filtered search based on the modifyTimestamp value. The timestamp value is updated in the search reconciliation scheduled task after full reconciliation. From the next run onward, the task runs in incremental reconciliation mode.

Note:

As a pre-requisite, configure modifyTimeStamp as an indexed and searchable attribute.

See Reconciliation Jobs for OID and Reconciliation Jobs for OUD, ODSEE, and LDAPv3-Compliant Directory Server for information about these reconciliation jobs.

6.2.2 Performing Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

The following are the ways in which limited reconciliation can be achieved:

6.2.2.1 Performing Limited Reconciliation By Using Filters

You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.

This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the OID resource attributes to filter the target system records.

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

While creating the application, follow the instructions in Configuring Reconciliation Jobs to specify attribute values.

6.2.2.2 Performing Limited Reconciliation Based on Group Membership

Limited Reconciliation can be performed based on Group Membership. You can reconcile only the users associated with a particular group by configuring the filter.

For ODSEE and OUD:
- Set the ldapGroupFilterBehavior advanced settings parameter to accept.
- Set the ldapGroupMembershipAttribute advanced settings parameter to ismemberof.
Specify the filter as:
```
containsAllValues('ldapGroups','cn=grp1,ou=groups,dc=example,dc=com')
```
For OID:
- Set the ldapGroupFilterBehavior advanced settings parameter to ignore.
- Set the ldapGroupMembershipAttribute advanced settings parameter to ismemberof.
Specify the filter as:
```
containsAllValues('ldapGroups','cn=grp1,ou=groups,dc=example,dc=com')
```

In these examples, grp1 is the group with which users are associated.

6.3 Reconciling Newly Created Objects for OUD Release 11.1.1.5.0

If you create a new object (User, OU, or Group) on OUD release 11.1.1.5.0 and run a search reconciliation job with modifyTimestamp in Incremental Recon Attribute, the reconciliation events are not created for new objects. To reconcile newly created objects, you must perform full reconciliation with createTimestamp in Incremental Recon Attribute.

To create a new reconciliation job for reconciling newly created objects separately:

Using Identity Self Service, create a new full reconciliation job.
Set the Job Name depending on the object type that you want to reconcile (User, OU, or Group). For example, OUD New Users Search Reconciliation.
Set the Object Type to User, OU or Group, depending on the object type you want to reconcile.
Add the Incremental Recon Attribute parameter and set the value to createTimestamp.
Add the Scheduled Task Name parameter and set the value to the job name that you specified in Step 2.
Add the Filter and Latest Token parameters depending on your requirements.
Click Apply to save the job.

See Also:

Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for instructions on creating a new reconciliation job

6.4 Reconciling OID, OUD, and ODSEE Users Under Their Corresponding Organizations in Oracle Identity Governance

Perform this optional task to reconcile users from the OID, OUD, or ODSEE target system under their corresponding organizations in Oracle Identity Governance. You do so by updating the default schema that has been set for an authoritative application.

To reconcile users from the OID, OUD, or ODSEE target system under their corresponding organizations in Oracle Identity Governance:

Ensure that you have created the corresponding organizations with the same names from the target system in Oracle Identity Governance.
You create an organization from the Create Organization page in Identity Self Service.
In Table 4-7 on the Schema page, update the value of the Organization Name identity attribute. To do so, in the Target Attribute column corresponding to the Organization Name identity attribute, enter __PARENTRDNVALUE__.

See Also:

Creating an Organization in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance

6.5 Reconciling OID, OUD, and ODSEE Groups Under One Organization in Oracle Identity Governance

Perform this task to reconcile groups from the OID, OUD, or ODSEE target system under the corresponding organization in Oracle Identity Governance.

Log in to Oracle Identity Manager Design Console.
Depending on the target system you are using, edit the lookup definition as follows:
For OID: Search for and add the following entry in the Lookup.OID.Group.Configuration lookup definition:
- code: Recon Attribute Defaults
- decode: Lookup.OID.Group.Defaults
For OUD and ODSEE: Search for and add the following entry in the Lookup.LDAP.Group.Configuration lookup definition:
- code: Recon Attribute Defaults
- decode: Lookup.LDAP.Group.Defaults
The specified decode values are examples, and you can set your own lookup names.
Depending on the target system you are using, create a new lookup definition:
- For OID: Lookup.OID.Group.Defaults
- For OUD and ODSEE: Lookup.LDAP.Group.Defaults
Add the following entry:
- code: Org Name
- decode: Group1
The specified decode value is an example of the name of the Oracle Identity Governance organization under which all groups need to be reconciled.
Depending on the target system you are using, search for the lookup definition:
- For OID: Lookup.OID.Group.ReconAttrMap
- For OUD and ODSEE: Lookup.LDAP.Group.ReconAttrMap
Delete the row with the code Org Name.
Depending on the target system you are using, search for and edit one of the following reconciliation rule:
- For OID: OID Group Recon
- For OUD and ODSEE: LDAP Group Recon
Change the current rule Organization Name Equals Group Name to Organization Name Equals Org Name.
Double-click the rule element and change the attribute Group Name to Org Name.
Save the rule.
Depending on the target system you are using, open one of the following resource objects and click Create Reconciliation Profile.
- For OID: OID Group
- For OUD and ODSEE: LDAP Group
Create an organization with the organization name Group1.
You create an organization from the Create Organization page in Identity Self Service.
Depending on the target system you are using, run one of the following reconciliation jobs:
- For OID: OID Connector Group Search Recon job
- For OUD and ODSEE: LDAP Connector Group Lookup Reconciliation job
After the job is complete, all groups are reconciled from the target system into the Group1 organization in Oracle Identity Governance. You can view the entitlements published to the open organization on the Available Entitlement tab in Identity Self Service.

See Also:

Creating an Organization in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for instructions on creating organizations in Oracle Identity Governance
Table 4-15 for details about the parameters of the LDAP Connector Group Lookup Reconciliation job
Configuring Reconciliation Jobs for instructions on performing reconciliation runs

6.6 Reconciling ODSEE Roles Under One Organization in Oracle Identity Governance

Perform this task to configure ODSEE roles to be reconciled under one organization.

Log in to the Oracle Identity Manager Design Console.
Search for the Lookup.LDAP.Role.Configuration lookup definition, and add the following entry:
- code: Recon Attribute Defaults
- decode: Lookup.LDAP.Role.Defaults
The specified decode value is an example, and you can set your own lookup name.
Create a new lookup definition with the name Lookup.LDAP.Role.Defaults, and add the following entry:
- code: Org Name
- decode: Role1
The decode value is an example of the name of the Oracle Identity Governance organization under which all roles need to be reconciled.
Search for the Lookup.LDAP.Role.ReconAttrMap lookup definition, and delete the row with code Org Name.
Search for and edit the reconciliation rule LDAP Role Recon:
1. Change the current rule Organization Name Equals Role Name to Organization Name Equals Org Name.
2. Double-click the rule element and change the attribute Role Name to Org Name.
3. Save the rule.
Open the LDAP Role resource object and click Create Reconciliation Profile.
Create an organization with the organization name Role1.
You create an organization from the Create Organization page in Identity Self Service.
Run the LDAP Connector Role Search Reconciliation job.
After the job is complete, all roles are reconciled from the target system into the Role1 organization in Oracle Identity Governance. You can view the entitlements published to the open organization on the Available Entitlement tab in Identity Self Service.

See Also:

Creating an Organization in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for instructions on creating organizations in Oracle Identity Governance
Table 4-15 for details about the parameters of the LDAP Connector Role Search Reconciliation job
Configuring Reconciliation Jobs for instructions on performing reconciliation runs

6.7 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:

Log in to Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
2. In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the parameters of the scheduled task:
- Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
- Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

Note:

Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Click Apply to save the changes.

Note:

You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

6.8 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

Log in to Identity Self Service.
Create a user as follows:
1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
3. Enter details of the user in the Create User page.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page

6.9 Connector Objects Used for Groups and Organizational Units Management in OID

Learn about the objects that are used by the connector to perform group organizational unit management operations such as create, update, and delete.

6.9.1 Preconfigured Lookup Definitions for Groups Management in OID

The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.

This section provides information about the following lookup definitions for group operations:

6.9.1.1 Lookup.OID.Group.Configuration

The Lookup.OID.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.

Table 6-1 lists the default entries in this lookup definition.

Table 6-1 Entries in the Lookup.OID.Group.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.OID.Group.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes.
Recon Attribute Map	Lookup.OID.Group.ReconAttrMap	This entry holds the name of the lookup definition that maps resource object fields and target system attributes.

6.9.1.2 Lookup.OID.Group.ProvAttrMap

The Lookup.OID.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations. This lookup definition is preconfigured.

Table 6-2 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.

Table 6-2 Entries in the Lookup.OID.Group.ProvAttrMap Lookup Definition

Group Field on Oracle Identity Manager	Target System Field
Container DN[IGNORE,LOOKUP]	container
Group Name	cn
Name	__NAME__="cn=${Group_Name},${Container_DN}"
OrclGuid	__UID__

6.9.1.3 Lookup.OID.Group.ReconAttrMap

The Lookup.OID.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured.

Table 6-3 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.

Table 6-3 Entries in the Lookup.OID.Group.ReconAttrMap Lookup Definition

Group Field on Oracle Identity Manager	Target System Field
Container DN[LOOKUP]	__parentDN__
Group Name	cn
OrclGuid	__UID__
Org Name	__PARENTRDNVALUE__

6.9.2 Preconfigured Lookup Definitions for Organizational Units Management in OID

The lookup definitions for Organizational Units are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.

This section describes the following lookup definitions for organizational unit operations:

6.9.2.1 Lookup.OID.OU.Configuration

The Lookup.OID.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.

Table 6-4 lists the default entries in this lookup definition.

Table 6-4 Entries in the Lookup.OID.OU.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.OID.OU.ProvAttrMap	Lookup used during provisioning.
Recon Attribute Map	Lookup.OID.OU.ReconAttrMap	Lookup used during reconciliation.

6.9.2.2 Lookup.OID.OU.ProvAttrMap

The Lookup.OID.OU.ProvAttrMap lookup definition maps process form fields for organizations and target system attributes. This lookup definition is used for performing organizational unit provisioning operations.

Table 6-5 lists the organizational unit fields of the target system for which you can specify or modify values during provisioning operations.

Table 6-5 Entries in the Lookup.OID.OU.ProvAttrMap Lookup Definition

Organization Field on Oracle Identity Manager	Target System Field
Container DN[IGNORE,LOOKUP]	Not used.
Name	__NAME__="ou=${Organisation_Unit_Name},${Container_DN}"
OrclGuid	__UID__
Organisation Unit Name	ou

6.9.2.3 Lookup.OID.OU.ReconAttrMap

This lookup definition is used during reconciliation. Table 6-6 lists the entries in this lookup definition.

Table 6-6 Entries in the Lookup.OID.OU.ReconAttrMap Lookup Definition

Code Key	Decode
Container DN[LOOKUP]	__parentDN__
OrclGuid	__UID__
Organisation Unit Name	ou
Org Name	__PARENTRDNVALUE__

6.9.3 Reconciliation Scheduled Jobs for Groups and Organizational Units Management in OID

After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.

This topic provides information about the following scheduled jobs

6.9.3.1 Scheduled Jobs for Reconciliation of Groups and OUs in OID

Depending on whether you want to perform groups management or organizational units management, you must specify values for the attributes of the following scheduled jobs.

OID Connector Group Search Reconciliation
OID Connector Group Sync Reconciliation
OID Connector OU Search Reconciliation
OID Connector OU Sync Reconciliation

The following sections describe the scheduled jobs and their attributes for groups and organizational units management:

6.9.3.1.1 OID Connector Group Search Reconciliation and OID Connector OU Search Reconciliation Scheduled Jobs

The OID Connector Group Search Reconciliation scheduled job is used to reconcile group data from OID. Similarly, the OID Connector OU Search Reconciliation scheduled job is used to reconcile OU data from OID. You must use these scheduled jobs if either of the following conditions is true:

Your target system does not contain a changelog attribute.
You want to reconcile into Oracle Identity Governance changes made to group, or OU memberships on the target system.

Table 6-7 describes the attributes of these scheduled jobs.

Table 6-7 Attributes of the OID Connector Group Search Reconciliation and OID Connector OU Search Reconciliation Scheduled Jobs

Attribute	Description
Filter	Expression for filtering records that must be reconciled by the scheduled job. Sample value: `startsWith('cn','Samrole1')` Default value: None See Performing Limited Reconciliation for the syntax of this expression.
Incremental Recon Attribute	Enter the name of the target system attribute that holds the time stamp at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. The default value is the same for all Search Recon Tasks: `modifyTimestamp`
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Value: `OID Server`
Latest Token	This attribute holds the time stamp value of the Incremental Recon Attribute. Note: The reconciliation engine automatically enters a value for this attribute after execution. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts that have been modified after the time stamp specified as the value of this attribute are reconciled. If you want to perform a full reconciliation, clear the value in this field. Sample value: `<String>20120516115131Z</String>`
Object Type	Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Search Reconciliation `Group` For OID Connector OU Search Reconciliation `OU`
Resource Object Name	Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Search Reconciliation `OID Group` For OID Connector OU Search Reconciliation `OID Organisation Unit`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Search Reconciliation `OID Connector Group Search Reconciliation` For OID Connector OU Search Reconciliation `OID Connector OU Search Reconciliation`

6.9.3.1.2 OID Connector Group Sync Reconciliation and OID Connector OU Sync Reconciliation Scheduled Jobs

The OID Connector Group Sync Reconciliation scheduled job is used to reconcile group data from OID. Similarly, the OID Connector OU Sync Reconciliation scheduled job is used to reconcile OU from the OID target system. You must use these scheduled jobs if your target system supports the changelog attribute.

Table 6-8 describes the attributes these scheduled jobs.

Table 6-8 Attributes of the OID Connector Group Sync Reconciliation and OID Connector OU Sync Reconciliation Scheduled Jobs

Attribute	Description
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Value: `OID Server`
Object Type	Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Sync Reconciliation `Group` For OID Connector OU Sync Reconciliation `OU`
Resource Object Name	Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Sync Reconciliation `OID Group` For OID Connector OU Sync Reconciliation `OID Organisation Unit`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Sync Reconciliation `OID Connector Group Sync Reconciliation` For OID Connector OU Sync Reconciliation `OID Connector OU Sync Reconciliation`
Sync Token	You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in the following formats: <Integer>VALUE</Integer> Sample value: `<Integer>476</Integer>`

6.9.3.2 Scheduled Jobs for Reconciliation of Deleted Groups and OUs in OID

Depending on whether you want to perform deleted groups reconciliation of deleted OUs reconciliation, the following scheduled jobs are available:

OID Connector Group Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted groups from the target system.
OID Connector OU Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted OUs from the target system.

Table 6-9 describes the attributes of these scheduled jobs.

Table 6-9 Attributes of the Scheduled Jobs for Deleted Groups and Organizational Units Reconciliation

Attribute Description

Attribute	Description
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Default value: `OID Server`
Object Type	This attribute holds the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Search Delete Reconciliation: `Group` For OID Connector OU Search Delete Reconciliation: `OU`
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. Depending on the scheduled job you are using, the default values are as follows: For OID Connector Group Search Delete Reconciliation: `OID Group` For OID Connector OU Search Delete Reconciliation: `OID OU`

IT Resource Name

Name of the IT resource instance that the connector must use to reconcile data.

Default value: OID Server

Object Type

This attribute holds the type of object you want to reconcile.

Depending on the scheduled job you are using, the default values are as follows:

For OID Connector Group Search Delete Reconciliation: Group
For OID Connector OU Search Delete Reconciliation: OU

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

Depending on the scheduled job you are using, the default values are as follows:

For OID Connector Group Search Delete Reconciliation: OID Group
For OID Connector OU Search Delete Reconciliation: OID OU

6.10 Connector Objects Used for Groups, Organizational Units, and Roles Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server

Learn about the objects that are used by the connector to perform organizational unit management operations such as create, update, and delete.

6.10.1 Preconfigured Lookup Definitions for Groups Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server

This section provides information about the following lookup definitions for group operations:

6.10.1.1 Lookup.LDAP.Group.Configuration

The Lookup.LDAP.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.

Table 6-10 lists the default entries in this lookup definition.

Table 6-10 Entries in the Lookup.LDAP.Group.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.LDAP.Group.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Group.ProvAttrMap for more information about this lookup definition.
Recon Attribute Map	Lookup.LDAP.Group.ReconAttrMap	This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Role.ProvAttrMap for more information about this lookup definition.

6.10.1.2 Lookup.LDAP.Group.ProvAttrMap

The Lookup.LDAP.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during group provisioning operations.

Table 6-11 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.

Table 6-11 Entries in the Lookup.LDAP.Group.ProvAttrMap Lookup Definition

Group Field on Oracle Identity Manager	Target System Field
Container DN[IGNORE,LOOKUP]	container
Group Name	cn
Name	__NAME__="cn=${Group_Name},${Container_DN}"
NsuniqueID	__UID__

6.10.1.3 Lookup.LDAP.Group.ReconAttrMap

The Lookup.LDAP.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is preconfigured and is used during reconciliation.

Table 6-12 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.

Table 6-12 Entries in the Lookup.LDAP.Group.ReconAttrMap Lookup Definition

Group Field on Oracle Identity Manager	Target System Field
Container DN[LOOKUP]	__parentDN__
Group Name	cn
NsuniqueID	__UID__
Org Name	__PARENTRDNVALUE__

6.10.2 Preconfigured Lookup Definitions for Organizational Units Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server

This section provides information about the following lookup definitions for organizational unit operations:

6.10.2.1 Lookup.LDAP.OU.Configuration

The Lookup.LDAP.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.

Table 6-13 lists the default entry in this lookup definition.

Table 6-13 Entries in the Lookup.LDAP.OU.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.LDAP.OU.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.OU.ProvAttrMap for more information about this lookup definition.
Recon Attribute Map	Lookup.LDAP.OU.ReconAttrMap	This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.OU.ReconAttrMap for more information about this lookup definition.

6.10.2.2 Lookup.LDAP.OU.ProvAttrMap

The Lookup.LDAP.OU.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during provisioning.

Table 6-14 lists the default entries. You can add entries in this lookup definition if you want to map new target system attributes for provisioning.

Table 6-14 Entries in the Lookup.LDAP.OU.ProvAttrMap Lookup Definition

Process Form Field	Target System Field
Container DN[IGNORE,LOOKUP]	not used
Name	__NAME__="ou=${Organisation_Unit_Name},${Container_DN}"
NsuniqueID	__UID__
Organisation Unit Name	ou

6.10.2.3 Lookup.LDAP.OU.ReconAttrMap

The Lookup.LDAP.OU.ReconAttrMap lookup definition holds mappings between resource object fields for organizational units (OUs) and target system attributes. This lookup definition is preconfigured and is used during reconciliation.

Table 6-15 lists the default entries. You can add entries in this lookup definition if you want to map new target system attributes for provisioning.

Table 6-15 Entries in the Lookup.LDAP.OU.ReconAttrMap Lookup Definition

OU Field on Oracle Identity Manager	Target System Field
Container DN[LOOKUP]	__parentDN__
NsuniqueID	__UID__
Organisation Unit Name	ou
Org Name	__PARENTRDNVALUE__

6.10.3 Preconfigured Lookup Definitions for Roles Management in ODSEE

The lookup definitions for Roles are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.

This section provides information about the following lookup definitions for role operations:

6.10.3.1 Lookup.LDAP.Role.Configuration

The Lookup.LDAP.Role.Configuration lookup definition holds configuration entries that are specific to the role object type. This lookup definition is used during role management operations when your target system is configured as a target resource.

Table 6-16 Entries in the Lookup.LDAP.Role.Configuration Lookup Definition

Code Key	Decode	Description
Provisioning Attribute Map	Lookup.LDAP.Role.ProvAttrMap	This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Role.ProvAttrMap for more information about this lookup definition.
Recon Attribute Map	Lookup.LDAP.Role.ReconAttrMap	This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Role.ReconAttrMap for more information about this lookup definition.

6.10.3.2 Lookup.LDAP.Role.ProvAttrMap

The Lookup.LDAP.Role.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during role provisioning operations.

Table 6-17 lists the default entries in this lookup definition. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.

Table 6-17 Entries in the Lookup.LDAP.Role.ProvAttrMap Lookup Definition

Role Field on Oracle Identity Manager	Target System Field
Container DN[IGNORE,LOOKUP]	not used
Name	__NAME__="cn=${Role_Name},${Container_DN}"
NsuniqueID	__UID__
Role Name	cn

6.10.3.3 Lookup.LDAP.Role.ReconAttrMap

The Lookup.LDAP.Role.ReconAttrMap lookup definition holds mappings between resource object fields for roles and target system attributes. This lookup definition is preconfigured and is used during reconciliation.

Table 6-18 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.

Table 6-18 Entries in the Lookup.LDAP.Role.ReconAttrMap Lookup Definition

Role Field on Oracle Identity Manager	Target System Field
Container DN[LOOKUP]	__parentDN__
NsuniqueID	__UID__
Org Name	__PARENTRDNVALUE__
Role Name	cn

6.10.4 Reconciliation Scheduled Jobs for Groups, Organizational Units, and Roles Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server

This topic provides information about the following scheduled jobs:

6.10.4.1 Scheduled Jobs for Reconciliation of Groups, OUs, and Roles in OUD, ODSEE, and LDAPv3-Compliant Directory Server

Depending on whether you want to perform groups management or organizational units management, you must specify values for the attributes of the following scheduled jobs.

LDAP Connector Group Search Reconciliation
LDAP Connector Group Sync Reconciliation
LDAP Connector OU Search Reconciliation
LDAP Connector OU Sync Reconciliation
LDAP Connector Role Search Reconciliation
LDAP Connector Role Sync Reconciliation

Note:

The LDAP Connector Role Search Reconciliation and LDAP Connector Role Sync Reconciliation scheduled jobs are available only for ODSEE.

The following sections describe the scheduled jobs and their attributes for groups, organizational units, and roles management:

6.10.4.1.1 LDAP Connector Group Search Reconciliation, LDAP Connector OU Search Reconciliation, and LDAP Connector Role Search Reconciliation Scheduled Jobs

The LDAP Connector Group Search Reconciliation and LDAP Connector OU Search Reconciliation scheduled jobs are used to reconcile group and organizational unit data from OUD, ODSEE, and LDAPv3-compliant directory server target systems. The LDAP Connector Role Search Reconciliation scheduled job is used to reconcile role data from the ODSEE target system. You must use these scheduled jobs if either of the following conditions is true:

Your target system does not contain a changelog attribute.
You want to reconcile into Oracle Identity Governance changes made to group, OU, or role memberships on the target system.

Table 6-19 describes the attributes of these scheduled jobs.

Table 6-19 Attributes of the LDAP Connector Group Search Reconciliation, LDAP Connector OU Search Reconciliation, and LDAP Connector Role Search Scheduled Jobs

Attribute	Description
Filter	Expression for filtering records that must be reconciled by the scheduled job. Sample value: `startsWith('cn','Samrole1')` Default value: None See Performing Limited Reconciliation for the syntax of this expression.
Incremental Recon Attribute	Enter the name of the target system attribute that holds the time stamp at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. The default value is the same for all Search Recon Tasks: `modifyTimestamp`
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Default value: `DSEE Server`
Latest Token	This attribute holds the time stamp value of the Incremental Recon Attribute. Note: The reconciliation engine automatically enters a value for this attribute after execution. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts that have been modified after the time stamp specified as the value of this attribute are reconciled. If you want to perform a full reconciliation, clear the value in this field. Sample value: `<String>20120516115131Z</String>`
Object Type	Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Search Reconciliation `Group` For LDAP Connector OU Search Reconciliation `OU` For LDAP Connector Role Search Reconciliation `Role`
Resource Object Name	Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Search Reconciliation `LDAP Group` For LDAP Connector OU Search Reconciliation `LDAP Organisation Unit` For LDAP Connector Role Search Reconciliation `LDAP Role`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Search Reconciliation `LDAP Connector Group Search Reconciliation` For LDAP Connector OU Search Reconciliation `LDAP Connector OU Search Reconciliation` For LDAP Connector Role Search Reconciliation `LDAP Connector Role Search Reconciliation`

6.10.4.1.2 LDAP Connector Group Sync Reconciliation, LDAP Connector OU Sync Reconciliation, and LDAP Connector Role Sync Reconciliation Scheduled Jobs

The LDAP Connector Group Sync Reconciliation and LDAP Connector OU Sync Reconciliation scheduled jobs are used to reconcile group and organizational unit data from OUD, ODSEE, and LDAPv3-compliant directory server target systems. The LDAP Connector Role Sync Reconciliation scheduled job is used to reconcile role data from the ODSEE target system. You must use these scheduled jobs if your target system supports the changelog attribute.

Table 6-20 describes the attributes these scheduled jobs.

Table 6-20 Attributes of the LDAP Connector Group Sync Reconciliation, LDAP Connector OU Sync Reconciliation, and LDAP Connector Role Sync Reconciliation Scheduled Jobs

Attribute	Description
IT Resource Name	Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Value: `DSEE Server`
Object Type	Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Sync Reconciliation `Group` For LDAP Connector OU Sync Reconciliation `OU` For LDAP Connector Role Sync Reconciliation `Role`
Resource Object Name	Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Sync Reconciliation `LDAP Group` For LDAP Connector OU Sync Reconciliation `LDAP Organisation Unit` For LDAP Connector Role Sync Reconciliation `LDAP Role`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Sync Reconciliation `LDAP Connector Group Sync Reconciliation` For LDAP Connector OU Sync Reconciliation `LDAP Connector OU Sync Reconciliation` For LDAP Connector Role Sync Reconciliation `LDAP Connector Role Sync Reconciliation`
Sync Token	You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to `true`, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: `<Integer>476</Integer>` If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to `false,` then this attribute stores values in the following format: <String>VALUE</String> Sample value: `<String>dc=example,dc=com:0000013633e514427b6600000013;</String>`

6.10.4.2 Scheduled Jobs for Reconciliation of Deleted Groups, OUs, and Roles in OUD, ODSEE, and LDAPv3-Compliant Directory Server

Depending on whether you want to perform reconciliation of deleted groups, OUs, or roles, the following scheduled jobs are available:

LDAP Connector Group Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted groups from the OUD, ODSEE, or LDAPv3-compliant directory server target systems.
LDAP Connector OU Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted OUs from the OUD, ODSEE, or LDAPv3-compliant directory server target systems.
LDAP Connector Role Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted roles from the ODSEE target system.

Table 6-21 describes the attributes of these scheduled jobs.

Table 6-21 Attributes of the Scheduled Jobs for Deleted Groups and Organizational Units Reconciliation

Attribute Description

Attribute	Description
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Default value: `DSEE Server`
Object Type	This attribute holds the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Search Delete Reconciliation: `Group` For LDAP Connector OU Search Delete Reconciliation: `OU` For LDAP Connector Role Search Delete Reconciliation: `Role`
Resource Object Name	Enter the name of the resource object against which reconciliation runs must be performed. Depending on the scheduled job you are using, the default values are as follows: For LDAP Connector Group Search Delete Reconciliation: `LDAP Group` For LDAP Connector OU Search Delete Reconciliation: `LDAP OU` For LDAP Connector Role Search Delete Reconciliation: `LDAP Role`

IT Resource Name

Name of the IT resource instance that the connector must use to reconcile data.

Default value: DSEE Server

Object Type

This attribute holds the type of object you want to reconcile.

Depending on the scheduled job you are using, the default values are as follows:

For LDAP Connector Group Search Delete Reconciliation: Group
For LDAP Connector OU Search Delete Reconciliation: OU
For LDAP Connector Role Search Delete Reconciliation: Role

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

Depending on the scheduled job you are using, the default values are as follows:

For LDAP Connector Group Search Delete Reconciliation: LDAP Group
For LDAP Connector OU Search Delete Reconciliation: LDAP OU
For LDAP Connector Role Search Delete Reconciliation: LDAP Role

6.11 Uninstalling the Connector

Uninstalling the Oracle Internet Directory connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues property.

For example: OID User; OID Group

Note:

If you set values for the ConnectorName and Release properties along with the ObjectType and ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.