11 Replies Latest reply: May 23, 2012 8:30 AM by duncan_db RSS

    OIM LDAP sync default attributes

    938902
      Hi,

      i am using LDAP sync to provision user/roles to LDAP (OID).

      I did the experience, that organization cannot be sync'd to ldap using ldap sync.

      Are there a list of all attributes, which will sync between OIM and LDAP (OID)?

      Thanks in advance!
        • 1. Re: OIM LDAP sync default attributes
          Kevin Pinsky
          The true list of values is contained in the LDAPUser file. If you open it with an XML editor that lets you expand and collapse the tags, you'll get a better idea of that values.

          Once you have identified those, you can use the script <OIM_HOM>\server\ldap_config_util\ldapsyncudf.bat to add and remove values. Just make sure you wait like 10 seconds between attributes so the system can complete the updates.

          -Kevin
          • 2. Re: OIM LDAP sync default attributes
            938902
            Hi Kevin,

            thanks for the answer.

            Is it true, that organization cannot be sync'd using LDAPsync?
            • 3. Re: OIM LDAP sync default attributes
              duncan_db
              Correct. Organizations cannot be synched using LDAP Sync. They need to be created directly in LDAP. The other thing to note is that even if you create the same organization structure in LDAP as in OIM, users created in LDAP will not be in the same Organization structure as OIM without further work. LDAP Container mapping rules defines what containers in LDAP users are created in (see "Configuring LDAP Container Rules" in the OIM developers guide).
              • 4. Re: OIM LDAP sync default attributes
                Kevin Pinsky
                Depends on how you do it. You can map any values you like, and perform any action on them you'd like through an event handler.

                -Kevin
                • 5. Re: OIM LDAP sync default attributes
                  938902
                  The LDAPUser.xml has Organization included

                  <reconAttr>
                  <oimFormDescriptiveName>LDAP Organization</oimFormDescriptiveName>
                  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">o</reconFieldName>
                  <reconColName>RECON_O</reconColName>
                  <emDataType>string</emDataType>
                  <formFieldType/>
                  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_ldap_organization">
                  <Transformation name="OneToOne">
                  <Parameter name="o" fieldname="o"/>
                  </Transformation>
                  </targetattr>
                  </reconAttr>

                  Why will it not be sync'd?

                  Can i modify the LDAPUser.xml to add any attribute i wish?
                  • 6. Re: OIM LDAP sync default attributes
                    duncan_db
                    This bit of XML just tells reconciliation to copy the "o" attribute in LDAP to a user database field usr_ldap_organization. It does not reconcile organizations as such. I hope the below is an accurate summary of handling of LDAP organizations by LDAP sync which will help.

                    1) LDAP Synch does not reconcile organization objects into OIM
                    2) LDAP Synch does provision organization objects to LDAP (although as pointed out perhaps you can customize something outside LDAP sync using an event handler)
                    3) Users reconciled from LDAP to OIM ar eby default placed in one OIM organization based on the the LDAP Sync scheduled job settings, irrespective of their organization in LDAP (although their LDAP organization can be reconciled to an OIM user attribute, perhaps allowing you to do some more work in an event handler)?
                    4) Users provisioned from OIM to LDAP use LDAP Container mapping to choose the organisation they are written to in LDAP. This is by default a simple set of attribute based rules, however custom code can be written in a plugin. Not that I found a bug that unfortunately the information that holds an OIM users OIM organization (ACT_KEY) is not made available to this plugin on create.

                    As to your further question, you can add other mappings as you require in the MDS files (LDAPUser.xml etc.) to map other attributes, either using supplied utilities to simply add UDFs (as mentioned in a previous post) or for less simple changes by modifying the XML by hand.
                    • 7. Re: OIM LDAP sync default attributes
                      938902
                      Ok, just for clarify :)

                      LDAPUser.xml has all attributes for reconciliation from LDAP to OIM, correct?

                      Or is LDAPUser.xml although needed for provisioning.

                      For my environment, i only need provisioning from OIM to LDAP. Therefore, i need a list, which attributes can provisioned from OIM to LDAP (by default)
                      • 8. Re: OIM LDAP sync default attributes
                        duncan_db
                        All the provisioned attributes are defined in LDAPuser.xml, with the possible exception of some additional OAM status related attributes.

                        If you are using OAM-OIM integration (and have oamenabled set to true in your OVD/libOVD configuration) some additional attributes (e.g. orclIsEnabled, obPasswordExpiryDate, ...) not listed in LDAPUser.xml are also provisioned.
                        • 9. Re: OIM LDAP sync default attributes
                          Kevin Pinsky
                          You do not have to run the on going reconciliation tasks from your directory back to OIM if you do not want. I would highly suggest you get your environment up and running. Then start your testing. You can use the tool i mentioned to add and remove attributes from the XML as you please, but in reality, until you start going through your use cases and seeing the output, you won't be able to really understand the big picture of everything going on and attributes that are being used. There is a huge lack of documentation on this stuff that you just need to play around with to get it working the way you want.

                          -Kevin
                          • 10. Re: OIM LDAP sync default attributes
                            938902
                            Ok, thanks for the update.

                            The LPAPUser.xml contains the following attributes:

                            act_key
                            LDAP Organization
                            LDAP Organization Unit

                            I create a user wit the following values for example:
                            Firstname: Peter
                            Lastname: Smith
                            Organization: Oracle
                            Mail: frank.peter@oracle.com
                            Password: xxx

                            The user will provisioned to LDAP and is stored as:
                            Firstname: Peter
                            Lastname: Smith
                            Mail: frank.peter@oracle.com
                            Password: xxx

                            In OIM "organization" is mapped to act_key. Why it cannot be sync'd to LDAP, if the value is in LDAPUser.xml?
                            • 11. Re: OIM LDAP sync default attributes
                              duncan_db
                              I guess in theory act_key could be mapped to an attribute but:

                              1) act_key is stored as a database key, i.e. just a number, not the organization name
                              2) It can only be mapped in this way to an attribute, not to the object dn which is always a conjunction of the object cn and the LDAP container set by container mapping rules / plugin
                              3) In my experience, at least from a plugin, act_key is not passed in on user creation (although you may be able to get at it here). Ihave had this raised as a bug.