6 Using the Oracle Internet Directory Connector
You can use the Oracle Internet Directory connector for performing reconciliation and provisioning operations after configuring your application to meet your requirements.
-
Reconciling Newly Created Objects for OUD Release 11.1.1.5.0
-
Reconciling OID, OUD, and ODSEE Groups Under One Organization in Oracle Identity Governance
-
Reconciling ODSEE Roles Under One Organization in Oracle Identity Governance
-
Connector Objects Used for Groups and Organizational Units Management in OID
6.1 Guidelines on Using the Connector
These are the guidelines that you must apply while configuring reconciliation, performing provisioning operations, and using the connector for dynamic or virtual static groups.
6.1.1 Guidelines on Configuring Reconciliation
These are the guidelines that you must apply while configuring reconciliation.
-
Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled jobs for lookup field synchronization must be run before user reconciliation runs.
-
The scheduled job for user reconciliation must be run before the scheduled job for reconciliation of deleted user data.
-
There is no support for group entities in Oracle Identity Governance. Therefore, apply the following guidelines before you run the scheduled job for groups reconciliation:
-
If you are using the default connector configuration, for every group in the target system, create a corresponding organizational unit (with the same group name) in Oracle Identity Governance. This ensures that all groups from the target system are reconciled into their newly created organizational units, respectively.
-
You can also configure the connector to reconcile groups under one organization. See Reconciling OID, OUD, and ODSEE Groups Under One Organization in Oracle Identity Governance.
-
-
For OUD target system, the OUD changelog is based on the replication database. By default, the replication keeps changelog entries for only 100 hours. The replication purge delay must be tuned based on your specific requirements. The database size on disk will vary accordingly. For more information, see the changelog documentation for the OUD target system.
-
Reconciliation of roles is supported only for ODSEE target system.
-
Run the User Search Reconciliation scheduled job, if only changes with regard to group membership are made to a user. This is because neither the changelog nor modifiedTimestamp attribute is updated. Therefore, performing full reconciliation by running the User Search Reconciliation scheduled job should reconcile such changes.
-
If you are reconciling a large number of records for an OID target system, then you must specify values for the following advanced settings parameters to optimize performance:
-
For target resource configuration
Change or increase the values of the blockSize and changeLogBlockSize parameters to suit the requirements of your environment.
Specify values for the readTimeout and connectTimeout parameters. If these parameters are not available in the Advanced Settings section, then you can manually add these parameters by updating the xml/OID-target-template.xml file as described in Configuring the Connector for LDAP Operation Timeouts.
-
For trusted source configuration
Set the value of the usePagedResultControl parameter to
true
.
-
6.1.2 Guidelines on Performing Provisioning Operations
These are the guidelines that you must apply while performing provisioning operations.
-
Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before provisioning operations.
-
If you want to provision a User, Group, Role, or an Organizational Unit directly under base context, then set the baseContexts basic configuration parameter to the base context name.
Sample value:
dc=example,dc=com
-
On the Oracle Internet Directory target system, the Manager Name field accepts only DN values. Therefore, when you set or modify the Manager Name field in Oracle Identity Governance, you must enter the DN value.
For example:
cn=abc,ou=lmn,dc=corp,dc=com
-
Provisioning of roles is supported only for ODSEE target system.
-
You perform Group provisioning in Oracle Identity Governance by provisioning the
LDAP Group
resource object to the Oracle Identity Governance organization. The connector usesgroupOfUniqueNames
as the object class for groups. -
You perform Organizational unit provisioning in Oracle Identity Governance by provisioning the
LDAP Organisation Unit
resource object to the Oracle Identity Governance organization. The connector uses theorganizationalUnit
object class for organizational unit provisioning.
6.1.3 Guidelines on Using the Connector for Dynamic and Virtual Static Groups
This connector does not support dynamic and virtual static groups in LDAP, by default. If you want to use the connector for dynamic or virtual static groups, then you must apply these guidelines.
-
Ensure referential integrity in OUD is enabled.
-
Set the value of the maintainLdapGroupMembership advanced settings parameter to
false
.
6.2 Configuring Reconciliation
Reconciliation involves duplicating in Oracle Identity Governance the creation of and modifications to user accounts on the target system.
This section provides details on the following topics related to configuring reconciliation:
Note:
Consider this scenario. You provision a user to an organization (org1) and then move the user to a second organization (org2). You run Trusted Reconciliation and Target User Sync reconciliation. As result, two resources are attached to the user: revoked and provisioned.
This behavior is normal for the connector. After moving the user to org2, the target directory considers the user in org1 to be deleted (revoked) even though the user still exists in org1. However, in org2 the user also exists and is considered to be provisioned.
6.2.1 Performing Full and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. During incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.
Full reconciliation: To perform a full reconciliation run, ensure that a value is not specified for the Filter and Latest Token attributes of the search reconciliation scheduled job for users, groups, or roles.
Incremental reconciliation: If the target system supports changelog, Sync reconciliation can be used for performing incremental reconciliation. To perform an incremental reconciliation run, specify a value for the Sync Token attribute in the sync reconciliation scheduled job for users, groups, or roles. From the next run onward, only records created or modified after the value in the Sync Token attribute are considered for reconciliation.
Incremental reconciliation can also be performed by filtered search based on the modifyTimestamp value. The timestamp value is updated in the search reconciliation scheduled task after full reconciliation. From the next run onward, the task runs in incremental reconciliation mode.
Note:
As a pre-requisite, configure modifyTimeStamp as an indexed and searchable attribute.See Reconciliation Jobs for OID and Reconciliation Jobs for OUD, ODSEE, and LDAPv3-Compliant Directory Server for information about these reconciliation jobs.
6.2.2 Performing Limited Reconciliation
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
The following are the ways in which limited reconciliation can be achieved:
6.2.2.1 Performing Limited Reconciliation By Using Filters
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the OID resource attributes to filter the target system records.
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
While creating the application, follow the instructions in Configuring Reconciliation Jobs to specify attribute values.
6.2.2.2 Performing Limited Reconciliation Based on Group Membership
Limited Reconciliation can be performed based on Group Membership. You can reconcile only the users associated with a particular group by configuring the filter.
-
For ODSEE and OUD:
-
Set the
ldapGroupFilterBehavior
advanced settings parameter toaccept
. -
Set the
ldapGroupMembershipAttribute
advanced settings parameter toismemberof
.
Specify the filter as:
containsAllValues('ldapGroups','cn=grp1,ou=groups,dc=example,dc=com')
-
-
For OID:
-
Set the
ldapGroupFilterBehavior
advanced settings parameter toignore
. -
Set the
ldapGroupMembershipAttribute
advanced settings parameter toismemberof
.
Specify the filter as:
containsAllValues('ldapGroups','cn=grp1,ou=groups,dc=example,dc=com')
-
In these examples, grp1 is the group with which users are associated.
6.3 Reconciling Newly Created Objects for OUD Release 11.1.1.5.0
If you create a new object (User, OU, or Group) on OUD release 11.1.1.5.0 and run a search reconciliation job with modifyTimestamp in Incremental Recon Attribute, the reconciliation events are not created for new objects. To reconcile newly created objects, you must perform full reconciliation with createTimestamp in Incremental Recon Attribute.
To create a new reconciliation job for reconciling newly created objects separately:
- Using Identity Self Service, create a new full reconciliation job.
- Set the Job Name depending on the object type that you want to reconcile (User, OU, or Group). For example, OUD New Users Search Reconciliation.
- Set the Object Type to User, OU or Group, depending on the object type you want to reconcile.
- Add the
Incremental Recon Attribute
parameter and set the value to createTimestamp. - Add the
Scheduled Task Name
parameter and set the value to the job name that you specified in Step 2. - Add the
Filter
andLatest Token
parameters depending on your requirements. - Click Apply to save the job.
See Also:
Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for instructions on creating a new reconciliation job6.4 Reconciling OID, OUD, and ODSEE Users Under Their Corresponding Organizations in Oracle Identity Governance
Perform this optional task to reconcile users from the OID, OUD, or ODSEE target system under their corresponding organizations in Oracle Identity Governance. You do so by updating the default schema that has been set for an authoritative application.
See Also:
Creating an Organization in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance6.5 Reconciling OID, OUD, and ODSEE Groups Under One Organization in Oracle Identity Governance
Perform this task to reconcile groups from the OID, OUD, or ODSEE target system under the corresponding organization in Oracle Identity Governance.
See Also:
-
Creating an Organization in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for instructions on creating organizations in Oracle Identity Governance
-
Table 4-15 for details about the parameters of the LDAP Connector Group Lookup Reconciliation job
-
Configuring Reconciliation Jobs for instructions on performing reconciliation runs
6.6 Reconciling ODSEE Roles Under One Organization in Oracle Identity Governance
Perform this task to configure ODSEE roles to be reconciled under one organization.
See Also:
-
Creating an Organization in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for instructions on creating organizations in Oracle Identity Governance
-
Table 4-15 for details about the parameters of the LDAP Connector Role Search Reconciliation job
-
Configuring Reconciliation Jobs for instructions on performing reconciliation runs
6.7 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
6.8 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page6.9 Connector Objects Used for Groups and Organizational Units Management in OID
Learn about the objects that are used by the connector to perform group organizational unit management operations such as create, update, and delete.
6.9.1 Preconfigured Lookup Definitions for Groups Management in OID
The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.
This section provides information about the following lookup definitions for group operations:
6.9.1.1 Lookup.OID.Group.Configuration
The Lookup.OID.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 6-1 lists the default entries in this lookup definition.
Table 6-1 Entries in the Lookup.OID.Group.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.OID.Group.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. |
Recon Attribute Map |
Lookup.OID.Group.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. |
6.9.1.2 Lookup.OID.Group.ProvAttrMap
The Lookup.OID.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations. This lookup definition is preconfigured.
Table 6-2 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table 6-2 Entries in the Lookup.OID.Group.ProvAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
container |
Group Name |
cn |
Name |
__NAME__="cn=${Group_Name},${Container_DN}" |
OrclGuid |
__UID__ |
6.9.1.3 Lookup.OID.Group.ReconAttrMap
The Lookup.OID.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured.
Table 6-3 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 6-3 Entries in the Lookup.OID.Group.ReconAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
Group Name |
cn |
OrclGuid |
__UID__ |
Org Name |
__PARENTRDNVALUE__ |
6.9.2 Preconfigured Lookup Definitions for Organizational Units Management in OID
The lookup definitions for Organizational Units are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.
This section describes the following lookup definitions for organizational unit operations:
6.9.2.1 Lookup.OID.OU.Configuration
The Lookup.OID.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.
Table 6-4 lists the default entries in this lookup definition.
Table 6-4 Entries in the Lookup.OID.OU.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.OID.OU.ProvAttrMap |
Lookup used during provisioning. |
Recon Attribute Map |
Lookup.OID.OU.ReconAttrMap |
Lookup used during reconciliation. |
6.9.2.2 Lookup.OID.OU.ProvAttrMap
The Lookup.OID.OU.ProvAttrMap lookup definition maps process form fields for organizations and target system attributes. This lookup definition is used for performing organizational unit provisioning operations.
Table 6-5 lists the organizational unit fields of the target system for which you can specify or modify values during provisioning operations.
Table 6-5 Entries in the Lookup.OID.OU.ProvAttrMap Lookup Definition
Organization Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
Not used. |
Name |
__NAME__="ou=${Organisation_Unit_Name},${Container_DN}" |
OrclGuid |
__UID__ |
Organisation Unit Name |
ou |
6.9.2.3 Lookup.OID.OU.ReconAttrMap
This lookup definition is used during reconciliation. Table 6-6 lists the entries in this lookup definition.
Table 6-6 Entries in the Lookup.OID.OU.ReconAttrMap Lookup Definition
Code Key | Decode |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
OrclGuid |
__UID__ |
Organisation Unit Name |
ou |
Org Name |
__PARENTRDNVALUE__ |
6.9.3 Reconciliation Scheduled Jobs for Groups and Organizational Units Management in OID
After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
This topic provides information about the following scheduled jobs
6.9.3.1 Scheduled Jobs for Reconciliation of Groups and OUs in OID
Depending on whether you want to perform groups management or organizational units management, you must specify values for the attributes of the following scheduled jobs.
-
OID Connector Group Search Reconciliation
-
OID Connector Group Sync Reconciliation
-
OID Connector OU Search Reconciliation
-
OID Connector OU Sync Reconciliation
The following sections describe the scheduled jobs and their attributes for groups and organizational units management:
6.9.3.1.1 OID Connector Group Search Reconciliation and OID Connector OU Search Reconciliation Scheduled Jobs
The OID Connector Group Search Reconciliation scheduled job is used to reconcile group data from OID. Similarly, the OID Connector OU Search Reconciliation scheduled job is used to reconcile OU data from OID. You must use these scheduled jobs if either of the following conditions is true:
-
Your target system does not contain a changelog attribute.
-
You want to reconcile into Oracle Identity Governance changes made to group, or OU memberships on the target system.
Table 6-7 describes the attributes of these scheduled jobs.
Table 6-7 Attributes of the OID Connector Group Search Reconciliation and OID Connector OU Search Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: Default value: None See Performing Limited Reconciliation for the syntax of this expression. |
Incremental Recon Attribute |
Enter the name of the target system attribute that holds the time stamp at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. The default value is the same for all Search Recon Tasks: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Value: |
Latest Token |
This attribute holds the time stamp value of the Incremental Recon Attribute. Note: The reconciliation engine automatically enters a value for this attribute after execution. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts that have been modified after the time stamp specified as the value of this attribute are reconciled. If you want to perform a full reconciliation, clear the value in this field. Sample value: |
Object Type |
Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows:
|
Resource Object Name |
Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
6.9.3.1.2 OID Connector Group Sync Reconciliation and OID Connector OU Sync Reconciliation Scheduled Jobs
The OID Connector Group Sync Reconciliation scheduled job is used to reconcile group data from OID. Similarly, the OID Connector OU Sync Reconciliation scheduled job is used to reconcile OU from the OID target system. You must use these scheduled jobs if your target system supports the changelog attribute.
Table 6-8 describes the attributes these scheduled jobs.
Table 6-8 Attributes of the OID Connector Group Sync Reconciliation and OID Connector OU Sync Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Value: |
Object Type |
Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows:
|
Resource Object Name |
Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
Sync Token |
You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in the following formats: <Integer>VALUE</Integer> Sample value: |
6.9.3.2 Scheduled Jobs for Reconciliation of Deleted Groups and OUs in OID
Depending on whether you want to perform deleted groups reconciliation of deleted OUs reconciliation, the following scheduled jobs are available:
-
OID Connector Group Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted groups from the target system.
-
OID Connector OU Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted OUs from the target system.
Table 6-9 describes the attributes of these scheduled jobs.
Table 6-9 Attributes of the Scheduled Jobs for Deleted Groups and Organizational Units Reconciliation
Attribute | Description |
---|---|
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile data. Default value: |
Object Type |
This attribute holds the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows:
|
Resource Object Name |
Enter the name of the resource object against which reconciliation runs must be performed. Depending on the scheduled job you are using, the default values are as follows:
|
6.10 Connector Objects Used for Groups, Organizational Units, and Roles Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server
Learn about the objects that are used by the connector to perform organizational unit management operations such as create, update, and delete.
6.10.1 Preconfigured Lookup Definitions for Groups Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server
The lookup definitions for Groups are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.
This section provides information about the following lookup definitions for group operations:
6.10.1.1 Lookup.LDAP.Group.Configuration
The Lookup.LDAP.Group.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.
Table 6-10 lists the default entries in this lookup definition.
Table 6-10 Entries in the Lookup.LDAP.Group.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.LDAP.Group.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Group.ProvAttrMap for more information about this lookup definition. |
Recon Attribute Map |
Lookup.LDAP.Group.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Role.ProvAttrMap for more information about this lookup definition. |
6.10.1.2 Lookup.LDAP.Group.ProvAttrMap
The Lookup.LDAP.Group.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during group provisioning operations.
Table 6-11 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table 6-11 Entries in the Lookup.LDAP.Group.ProvAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
container |
Group Name |
cn |
Name |
__NAME__="cn=${Group_Name},${Container_DN}" |
NsuniqueID |
__UID__ |
6.10.1.3 Lookup.LDAP.Group.ReconAttrMap
The Lookup.LDAP.Group.ReconAttrMap lookup definition holds mappings between resource object fields for groups and target system attributes. This lookup definition is preconfigured and is used during reconciliation.
Table 6-12 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 6-12 Entries in the Lookup.LDAP.Group.ReconAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
Group Name |
cn |
NsuniqueID |
__UID__ |
Org Name |
__PARENTRDNVALUE__ |
6.10.2 Preconfigured Lookup Definitions for Organizational Units Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server
The lookup definitions for Organizational Units are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.
This section provides information about the following lookup definitions for organizational unit operations:
6.10.2.1 Lookup.LDAP.OU.Configuration
The Lookup.LDAP.OU.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.
Table 6-13 lists the default entry in this lookup definition.
Table 6-13 Entries in the Lookup.LDAP.OU.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.LDAP.OU.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.OU.ProvAttrMap for more information about this lookup definition. |
Recon Attribute Map |
Lookup.LDAP.OU.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.OU.ReconAttrMap for more information about this lookup definition. |
6.10.2.2 Lookup.LDAP.OU.ProvAttrMap
The Lookup.LDAP.OU.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during provisioning.
Table 6-14 lists the default entries. You can add entries in this lookup definition if you want to map new target system attributes for provisioning.
Table 6-14 Entries in the Lookup.LDAP.OU.ProvAttrMap Lookup Definition
Process Form Field | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
not used |
Name |
__NAME__="ou=${Organisation_Unit_Name},${Container_DN}" |
NsuniqueID |
__UID__ |
Organisation Unit Name |
ou |
6.10.2.3 Lookup.LDAP.OU.ReconAttrMap
The Lookup.LDAP.OU.ReconAttrMap lookup definition holds mappings between resource object fields for organizational units (OUs) and target system attributes. This lookup definition is preconfigured and is used during reconciliation.
Table 6-15 lists the default entries. You can add entries in this lookup definition if you want to map new target system attributes for provisioning.
Table 6-15 Entries in the Lookup.LDAP.OU.ReconAttrMap Lookup Definition
OU Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
NsuniqueID |
__UID__ |
Organisation Unit Name |
ou |
Org Name |
__PARENTRDNVALUE__ |
6.10.3 Preconfigured Lookup Definitions for Roles Management in ODSEE
The lookup definitions for Roles are automatically created in Oracle Identity Governance after you create the application by using the connector. These lookup definitions are prepopulated with values after you create the application.
This section provides information about the following lookup definitions for role operations:
6.10.3.1 Lookup.LDAP.Role.Configuration
The Lookup.LDAP.Role.Configuration lookup definition holds configuration entries that are specific to the role object type. This lookup definition is used during role management operations when your target system is configured as a target resource.
Table 6-16 Entries in the Lookup.LDAP.Role.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.LDAP.Role.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.LDAP.Role.ProvAttrMap for more information about this lookup definition. |
Recon Attribute Map |
Lookup.LDAP.Role.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.LDAP.Role.ReconAttrMap for more information about this lookup definition. |
6.10.3.2 Lookup.LDAP.Role.ProvAttrMap
The Lookup.LDAP.Role.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during role provisioning operations.
Table 6-17 lists the default entries in this lookup definition. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table 6-17 Entries in the Lookup.LDAP.Role.ProvAttrMap Lookup Definition
Role Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[IGNORE,LOOKUP] |
not used |
Name |
__NAME__="cn=${Role_Name},${Container_DN}" |
NsuniqueID |
__UID__ |
Role Name |
cn |
6.10.3.3 Lookup.LDAP.Role.ReconAttrMap
The Lookup.LDAP.Role.ReconAttrMap lookup definition holds mappings between resource object fields for roles and target system attributes. This lookup definition is preconfigured and is used during reconciliation.
Table 6-18 lists the default entries. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation.
Table 6-18 Entries in the Lookup.LDAP.Role.ReconAttrMap Lookup Definition
Role Field on Oracle Identity Manager | Target System Field |
---|---|
Container DN[LOOKUP] |
__parentDN__ |
NsuniqueID |
__UID__ |
Org Name |
__PARENTRDNVALUE__ |
Role Name |
cn |
6.10.4 Reconciliation Scheduled Jobs for Groups, Organizational Units, and Roles Management in OUD, ODSEE, and LDAPv3-Compliant Directory Server
After you create an application, reconciliation scheduled jobs are automatically created in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
This topic provides information about the following scheduled jobs:
6.10.4.1 Scheduled Jobs for Reconciliation of Groups, OUs, and Roles in OUD, ODSEE, and LDAPv3-Compliant Directory Server
Depending on whether you want to perform groups management or organizational units management, you must specify values for the attributes of the following scheduled jobs.
-
LDAP Connector Group Search Reconciliation
-
LDAP Connector Group Sync Reconciliation
-
LDAP Connector OU Search Reconciliation
-
LDAP Connector OU Sync Reconciliation
-
LDAP Connector Role Search Reconciliation
-
LDAP Connector Role Sync Reconciliation
Note:
The LDAP Connector Role Search Reconciliation and LDAP Connector Role Sync Reconciliation scheduled jobs are available only for ODSEE.The following sections describe the scheduled jobs and their attributes for groups, organizational units, and roles management:
6.10.4.1.1 LDAP Connector Group Search Reconciliation, LDAP Connector OU Search Reconciliation, and LDAP Connector Role Search Reconciliation Scheduled Jobs
The LDAP Connector Group Search Reconciliation and LDAP Connector OU Search Reconciliation scheduled jobs are used to reconcile group and organizational unit data from OUD, ODSEE, and LDAPv3-compliant directory server target systems. The LDAP Connector Role Search Reconciliation scheduled job is used to reconcile role data from the ODSEE target system. You must use these scheduled jobs if either of the following conditions is true:
-
Your target system does not contain a changelog attribute.
-
You want to reconcile into Oracle Identity Governance changes made to group, OU, or role memberships on the target system.
Table 6-19 describes the attributes of these scheduled jobs.
Table 6-19 Attributes of the LDAP Connector Group Search Reconciliation, LDAP Connector OU Search Reconciliation, and LDAP Connector Role Search Scheduled Jobs
Attribute | Description |
---|---|
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: Default value: None See Performing Limited Reconciliation for the syntax of this expression. |
Incremental Recon Attribute |
Enter the name of the target system attribute that holds the time stamp at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. The default value is the same for all Search Recon Tasks: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Default value: |
Latest Token |
This attribute holds the time stamp value of the Incremental Recon Attribute. Note: The reconciliation engine automatically enters a value for this attribute after execution. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts that have been modified after the time stamp specified as the value of this attribute are reconciled. If you want to perform a full reconciliation, clear the value in this field. Sample value: |
Object Type |
Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows:
|
Resource Object Name |
Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
6.10.4.1.2 LDAP Connector Group Sync Reconciliation, LDAP Connector OU Sync Reconciliation, and LDAP Connector Role Sync Reconciliation Scheduled Jobs
The LDAP Connector Group Sync Reconciliation and LDAP Connector OU Sync Reconciliation scheduled jobs are used to reconcile group and organizational unit data from OUD, ODSEE, and LDAPv3-compliant directory server target systems. The LDAP Connector Role Sync Reconciliation scheduled job is used to reconcile role data from the ODSEE target system. You must use these scheduled jobs if your target system supports the changelog attribute.
Table 6-20 describes the attributes these scheduled jobs.
Table 6-20 Attributes of the LDAP Connector Group Sync Reconciliation, LDAP Connector OU Sync Reconciliation, and LDAP Connector Role Sync Reconciliation Scheduled Jobs
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group or role data. Value: |
Object Type |
Type of object to be reconciled. Depending on the scheduled job you are using, the default values are as follows:
|
Resource Object Name |
Name of the resource object that is used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Depending on the scheduled job you are using, the default values are as follows:
|
Sync Token |
You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats:
|
6.10.4.2 Scheduled Jobs for Reconciliation of Deleted Groups, OUs, and Roles in OUD, ODSEE, and LDAPv3-Compliant Directory Server
Depending on whether you want to perform reconciliation of deleted groups, OUs, or roles, the following scheduled jobs are available:
-
LDAP Connector Group Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted groups from the OUD, ODSEE, or LDAPv3-compliant directory server target systems.
-
LDAP Connector OU Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted OUs from the OUD, ODSEE, or LDAPv3-compliant directory server target systems.
-
LDAP Connector Role Search Delete Reconciliation: Use this scheduled job to reconcile data about deleted roles from the ODSEE target system.
Table 6-21 describes the attributes of these scheduled jobs.
Table 6-21 Attributes of the Scheduled Jobs for Deleted Groups and Organizational Units Reconciliation
Attribute | Description |
---|---|
IT Resource Name |
Name of the IT resource instance that the connector must use to reconcile data. Default value: |
Object Type |
This attribute holds the type of object you want to reconcile. Depending on the scheduled job you are using, the default values are as follows:
|
Resource Object Name |
Enter the name of the resource object against which reconciliation runs must be performed. Depending on the scheduled job you are using, the default values are as follows:
|
6.11 Uninstalling the Connector
Uninstalling the Oracle Internet Directory connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues
property.
For example: OID User; OID Group
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.