This content has been marked as final. Show 11 replies
The true list of values is contained in the LDAPUser file. If you open it with an XML editor that lets you expand and collapse the tags, you'll get a better idea of that values.
Once you have identified those, you can use the script <OIM_HOM>\server\ldap_config_util\ldapsyncudf.bat to add and remove values. Just make sure you wait like 10 seconds between attributes so the system can complete the updates.
Correct. Organizations cannot be synched using LDAP Sync. They need to be created directly in LDAP. The other thing to note is that even if you create the same organization structure in LDAP as in OIM, users created in LDAP will not be in the same Organization structure as OIM without further work. LDAP Container mapping rules defines what containers in LDAP users are created in (see "Configuring LDAP Container Rules" in the OIM developers guide).
The LDAPUser.xml has Organization included
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">o</reconFieldName>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_ldap_organization">
<Parameter name="o" fieldname="o"/>
Why will it not be sync'd?
Can i modify the LDAPUser.xml to add any attribute i wish?
This bit of XML just tells reconciliation to copy the "o" attribute in LDAP to a user database field usr_ldap_organization. It does not reconcile organizations as such. I hope the below is an accurate summary of handling of LDAP organizations by LDAP sync which will help.
1) LDAP Synch does not reconcile organization objects into OIM
2) LDAP Synch does provision organization objects to LDAP (although as pointed out perhaps you can customize something outside LDAP sync using an event handler)
3) Users reconciled from LDAP to OIM ar eby default placed in one OIM organization based on the the LDAP Sync scheduled job settings, irrespective of their organization in LDAP (although their LDAP organization can be reconciled to an OIM user attribute, perhaps allowing you to do some more work in an event handler)?
4) Users provisioned from OIM to LDAP use LDAP Container mapping to choose the organisation they are written to in LDAP. This is by default a simple set of attribute based rules, however custom code can be written in a plugin. Not that I found a bug that unfortunately the information that holds an OIM users OIM organization (ACT_KEY) is not made available to this plugin on create.
As to your further question, you can add other mappings as you require in the MDS files (LDAPUser.xml etc.) to map other attributes, either using supplied utilities to simply add UDFs (as mentioned in a previous post) or for less simple changes by modifying the XML by hand.
Ok, just for clarify :)
LDAPUser.xml has all attributes for reconciliation from LDAP to OIM, correct?
Or is LDAPUser.xml although needed for provisioning.
For my environment, i only need provisioning from OIM to LDAP. Therefore, i need a list, which attributes can provisioned from OIM to LDAP (by default)
All the provisioned attributes are defined in LDAPuser.xml, with the possible exception of some additional OAM status related attributes.
If you are using OAM-OIM integration (and have oamenabled set to true in your OVD/libOVD configuration) some additional attributes (e.g. orclIsEnabled, obPasswordExpiryDate, ...) not listed in LDAPUser.xml are also provisioned.
You do not have to run the on going reconciliation tasks from your directory back to OIM if you do not want. I would highly suggest you get your environment up and running. Then start your testing. You can use the tool i mentioned to add and remove attributes from the XML as you please, but in reality, until you start going through your use cases and seeing the output, you won't be able to really understand the big picture of everything going on and attributes that are being used. There is a huge lack of documentation on this stuff that you just need to play around with to get it working the way you want.
Ok, thanks for the update.
The LPAPUser.xml contains the following attributes:
LDAP Organization Unit
I create a user wit the following values for example:
The user will provisioned to LDAP and is stored as:
In OIM "organization" is mapped to act_key. Why it cannot be sync'd to LDAP, if the value is in LDAPUser.xml?
I guess in theory act_key could be mapped to an attribute but:
1) act_key is stored as a database key, i.e. just a number, not the organization name
2) It can only be mapped in this way to an attribute, not to the object dn which is always a conjunction of the object cn and the LDAP container set by container mapping rules / plugin
3) In my experience, at least from a plugin, act_key is not passed in on user creation (although you may be able to get at it here). Ihave had this raised as a bug.