If true, allows passwords to flow from the IDM data store to the connected system. true If true, allows passwords to flow from the connected system to the IDM data store. true Use the password from the connected system to set the non-reversible NDS password in eDirectory. true Use the password from the connected system to set the NMAS Distribution Password used for IDM password synchronization. false If true, applies NMAS password policies during publish password operations. Password is not written to the data store if it does not comply. true If true, on a publish Distribution Password failure, attempt to reset the password in the connected system using the Distribution Password from the IDM data store. true true The name of the connected system, application or IDM driver. This value is used by the e-mail notification templates. Ora10gR2

Synchronize the first or last replica value of multi-valued attributes mapped to single-valued columns? first last first \META\ca\novl\Users \META\ca\novl\Oracle ca\novl\Oracle ca\novl\Oracle The subscriber channel retry interval controls how frequently the DirXML Engine will retry the processing of a cached transaction after the application shim's Subscriber object returns a retry status. 30 The qualified form for DN-syntax attribute values controls whether values for DN-syntax attribute values are presented in unqualified slash form or qualified slash form. A "true" setting means the values are presented in qualified form. false The qualified form for rename events controls whether the new-name portion of rename events coming from the Identity Vault are presented to the Subscriber channel with type qualifier(s) (e.g. CN=). A "true" setting means the names are presented in qualified form. false The maximum eDirectory replication wait time controls the maximum time that the DirXML Engine will wait for a particular change to replicate between the local replica and a remote replica. This only affects operations where the DirXML Engine is required to contact a remote eDirectory server in the same tree to perform an operation and may need to wait until some change has replicated to or from the remote server before the operation can be completed (e.g. object moves when the DirXML server does not hold the master replica of the moved object ;file system rights operations for Users created from a template.) 180 This control sets the XSLT processor used by the DirXML Engine to a backwards-compatible mode. The backwards-compatible mode causes the XSLT processor to use one or more behaviors that are not XPath 1.0 and/or XSLT 1.0 standards-compliant. This is done in the interest of backwards-compatiblity with existing DirXML stylesheets that depend on the non-standard behavior(s). In particular: The behavior of the XPath "!=" operator when one operand is a node-set and the other operand is other than a node-set is incorrect in DirXML releases up to and including DirXML 2.0 (Novell Identity Manager 2.0). This behavior has been corrected; however, the corrected behavior is disabled by default through this control in favor of backwards-compatibility with existing DirXML stylesheets. true This control is used to limit the number of application objects that the DirXML Engine will request from an application during a single query that is performed as part of a "migrate objects from application" operation. If "java.lang.OutOfMemoryError" errors are encountered during a migrate from application operation then this number should be set lower than the default. Note that this control does not limit the number of application objects that can be migrated; it merely limits the "batch size". 50 This control is used by the DirXML Engine to determine if the creatorsName attribute should be set to the DN of this driver on all objects created in the Identity Vault by this driver. Setting the creatorsName attribute allows for easily identifying objects created by this driver, but also carries a performance penalty. If not set, the creatorsName attribute will default to the DN of the NCP Server object that is hosting the driver. false This control determines whether the DirXML Engine will write a pending association on an object during subscriber channel processing. Writing a pending association confers little or no benefit but does incur a performance penalty. Nevertheless, the option exists to turn it on for backward compatibility. false This control determines the source of the value reported for the nspmDistributionPassword attribute for subscriber channel add and modify events. Setting the control to false means that the current value of nspmDistributionPassword is obtained and reported as the value of the attribute event. This means that only the current password value is available. This is the default behavior. Setting the control to true means that the value recorded with the eDirectory event will be decrypted and reported as the value of the attribute event. This means that both the old password value (if it exists) and the replacement password value at the time of the event are available. This is useful for synchronizing passwords to certain applications that require the old password to enable setting a new password. false This control determines whether the DirXML Engine will report the status of subscriber channel password change events. Reporting the status of subscriber channel password change events allows applications such as the Identity Manager User Application to monitor the synchronization progress of a password change that should be synchronized to the connected application. true Enter the class name of your third-party JDBC driver. Verify that the jar/zip file containing this class is version compatible with the target database. oracle.jdbc.driver.OracleDriver Show parameters that control how much of the database is visible to this driver? show hide show On start-up, the driver caches database metadata on a limited number of tables/views to facilitate data synchronization. You can cache no table/view metadata (exclude all tables/views), cache metadata on all tables/views owned by a single database user (include by schema membership) or cache metadata on an explicit list of table/view names (include by table/view name). If no table/view metadata is cached, the driver acts as a pass-through agent for embedded SQL. In this state, standard XDS events (e.g., add, modify, delete) are ignored. empty schema list list Enter the name of the database schema that contains the tables/views to synchronize. Schema is usually synonymous with ownership. For example, if database user 'idm' owns table 'table1', 'table1' is said to be part of the 'idm' schema. Do you want to use regular expressions to include or exclude tables/views? These parameters are useful when synchronizing with a large schema and you need to reduce the number of tables/view definitions cached by this driver. Schema filtering can reduce start-up time as well as reduce runtime memory utilization. 1 0 0 Specify a Java regular expression filter for including tables/views. Specify a Java regular expression filter for excluding tables/views. Enter the names of the tables/views to synchronize. You may need to schema-qualify these names (e.g., owner.table). Multiple values should be semicolon, comma, or space-delimited. This parameter is useful if you need to reduce the number of table/view definitions cached by this driver, which can shorten driver start-up time as well as reduce runtime memory utilization. It is also useful when synchronizing tables/views that reside in different database schemas (that is, are owned by multiple database users). idmUser.view_ORCLUSERS; idmUser.view_ORCLROLES,idmUser.view_ORCLPRIVS Return time-related data types as integers, canonical strings, or Java strings? The advantage of returning time values as integers is that integer values easily map to eDirectory's native time data types. The disadvantage is the limited range. An integer value that represents the number of seconds since 1970 can cover a date range from about 1910 to 2030 if interpreted as a signed value. By default, however, Identity Manager interprets time-related integer data types as unsigned values. String timestamps, on the other hand, can cover a much broader range, like database timestamps, and are more precise, but must be mapped to string data types in Identity Manager. Canonical string timestamps, dates, and times are published in the following formats: CCYYMMDDHHMMSSNNNNNNNNN, CCYYMMDD and HHMMSS, respectively (where C = century, Y = year, M = month or minute, D = day, H = hour, S = second, N = nano). These fixed-length formats have the virtue of collating in chronological order on any platform in any locale. Java string timestamps, dates, and times are published in the following formats: yyyy-mm-dd hh:mm:ss.fffffffff, yyyy-mm-dd and hh:mm:ss, respectively (where y = year, m = month or minute, d = day, h = hour, s = second, f = nano). _ 2 3 _ What's the path of the folder where you want this driver to store state information? Changing this value when using triggerless publication can force a resync of all objects. . Show connectivity-related parameters? show hide hide Should the Subscriber and Publisher share a database connection? Normally, this driver uses three database connections when both channels are enabled (one subscription connection and two publication connections). This parameter reduces the number of required connections to two (one dedicated publication connection and one shared subscription/publication connection). _ 1 0 _ What SQL statements, if any, should be executed immediately after connecting to the database? Multiple values should be semicolon-delimited. This parameter is useful for changing database contexts or setting session properties. List connection properties as key value pairs. For example: key=value. Multiple values should be delimited by a semi-colon. For example: key1=value1; key2=value2. Show parameters that can adjust adjust driver behavior to enhance compatibility with various third-party JDBC implementations and databases? show hide hide Do you want to use custom XML descriptor files that describe the unique properties of your third-party JDBC implementation or database to this driver? 1 0 0 Specify the name of the descriptor file for your third-party JDBC driver. The filename must have the extension .xml and be located in a jar file whose name begins with "jdbc" (case-insensitive) and in the runtime classpath. Specify the name of the descriptor file for the target database. The filename must have the extension .xml and be located in a jar file whose name begins with "jdbc" (case-insensitive) and in the runtime classpath. Show parameters that ensure backward compatibility? show hide hide Should table columns constrained with foreign key constraints be interpreted as referential attributes? Referrential attributes allow relationships, such as containment, to exist between tables. For 1.0 backwards compatibility, referential attribute support should be disabled. _ 0 _ Should view column name prefixes (e.g., "pk_", "fk_", "sv_", "mv_") be interpreted as metadata? When enabled, said prefixes are not considered part of view column names. Meta-identifiers allow one to define referrential relationships between views and mark view columns as multi or single-valued. For 1.5 backwards compatibility, meta-identifier support should be disabled. _ 0 _ Show transaction-related parameters? show hide hide Should this driver use transactions? Are transactions supported by the target database or table implementation you are using? _ 1 0 _ Use this parameter to set advanced transaction properties. For additional information on what these values mean, please refer to the JDBC tutorial at http://java.sun.com/docs/books/tutorial/jdbc/basics/transactions.html and the documentation of your third-party JDBC driver or database. _ unsupported none read uncommitted read committed repeatable read serializable read committed Show statement-related parameters? show hide hide Should this driver reuse java.sql.Statement objects or close and reallocate them with each use? _ 1 0 _ How many result sets can be returned from an SQL statement? _ none single multiple _ Should this driver explicitly lock database resources before executing each statement? 0 1 0 Do you want to use a custom class to generate locking statements? 1 0 0 Specify the name of the class used to generate locking statements. What case should the authentication username be in? _ upper mixed lower _ Choose a left outer-join operator. _ *= (+) LEFT OUTER JOIN _ Should this driver run using the least amount of database metadata possible? This parameter is useful when a given third-party JDBC driver does not implement one of the optional metadata method normally utilized by this driver. When set to no, referential data and child parent relationships are no longer available to this driver. _ 1 0 _ How are results returned from database functions? _ result set return value _ Can schema names be used to retrieve database metadata? _ 1 0 _ For legacy databases that don't support the notion of column position (DB2/AS400, for instance), a backup ordering algorithm must be employed. Sorting columns names by hexadecimal value ensures that if the this driver is relocated to a different server, it will continue to function without modification. Sorting column names by platform or locale string collation order is more intuitive, but may require configuration changes if a driver instance is relocated to a different server. In particular, event log table column order and compound column name order may change. In the case of the latter, the schema-mapping rule and object association values may need to be updated. In the case of the former, event log table columns may have to be renamed. _ com.novell.nds.dirxml.driver.jdbc.util.config.comp.StringByteComparator com.novell.nds.dirxml.driver.jdbc.util.config.comp.StringComparator _ Do you want to ignore events flowing from Identity Manager to the database? _ 1 _ Show parameters that control how and when primary key values are generated? show hide show How are primary key values being generated or retrieved? This setting is global for all tables/views. _ driver auto _ When should primary key values be retrieved? Before or after row insertion? This setting is global for all tables/views. _ after _ Specify how and when primary key values are generated/retrieved on a per table/view basis. This parameter overrides global method and timing settings. Multiple values should be semicolon, comma, or space-delimited. view_ORCLUSERS(none) Disable statement locking? Should explicit locking or database resources be disabled on this channel? 1 0 0 Should the Subscriber add default values to insert operations on views? This parameter is desirable for satisfying instead-of-trigger constraints that require non-null values be provided for non-nullable columns before instead-of-triggers fire. This parameter has no effect on tables. _ 1 0 _ Do you want to ignore events flowing from the database to Identity Manager? _ 1 _ Do you want to use triggered or triggerless publication? Triggered publication uses database triggers to capture events and log them in a table. Triggerless publication, in contrast, derives events by inspecting database tables/views. Triggered publication is more efficient, but requires substantial database-side configuration. Triggerless publication is less efficient, but requires minimal database-side configuration. _ 2 _ What's the name of the table where publication events are stored? idmUser.direct_process Should processed rows be deleted from the event log table? There is a significant performance hit when processed rows are left in the event log table. The performance cost can be mitigated by moving processed rows from the event log table into an event history table using the "Post polling statements:" parameter. _ 0 _ Should the Publisher optimize update events before sending them to the engine? When set to yes, all update events are optimized. When set to no, select update events are not. For a more complete explanation of this parameter, please consult the driver implementation guide. _ 1 _ Allow events initiated by the Subscriber channel to loopback on the Publisher channel? _ 1 _ Disable statement locking? Should explicit locking or database resources be disabled on this channel? 1 0 0 Determine the Publisher's behavior on start-up. _ 2 1 _ Process events in the event log table based upon their effective date as opposed to order of insertion (triggered publication) or publish database local time with each event (triggerless publication)? _ 1 _ Do you want to specify a custom SQL statement that supplies the current time/date on the database server? By default, a statement is dynamically derived. 1 0 0 What SQL statement should be used to determine the current time and date on the database server?" Show parameters that control polling behavior? show hide show What's the minimum number of seconds of inactivity that should elapse between polling cycles? In practice, more than the number of specified seconds may elapse (i.e., this is a lower bound only). The default is 10 seconds. 10 When should the Publisher check for new database events each day? Time values may be entered in multiple formats. The preferred format is hh:mm:ss, where h = hour, m = minute, s = second. What statements, if any, should be executed after an active polling cycle? This parameter is useful, for instance, for calling a stored procedure/function that moves processed rows from the event log table into a history table and rebuilds indexes on the event log table. Multiple values should be semicolon-delimited. CALL idmUser.proc_directlog(); DELETE FROM indirect.indirect_process What is the desired number of database events that the Publisher group together in a single publication document? The number of events per document may be less but will not be greater. The upper bound of 128 was chosen to minimize the likelihood of overflowing the Java heap and to mitigate delaying termination of the Publisher thread on driver shutdown. _ 2 4 8 16 32 64 128 _ How many minutes of Publisher inactivity should elapse before the Publisher sends a heartbeat document? In practice, more than the number of minutes specified may elapse. That is, this parameter defines a lower bound. 0 User: Require CN add User Group: Require CN add Group Priv: Require OrclGrantee, OrclGrantedRole add OrclPriv User: Add attributes User add \ grp Group: Add attributes Group add OrclRole User: Match on CN add User Group: Match on CN add Group \ Priv: Match on OrclGrantee, OrclGrantedRole add OrclPriv \ Publish password payloads Add operation-data element to password operations add operation-data add add-attr[@attr-name='nspmDistributionPassword'] operation-data modify-password operation-data modify modify-attr[@attr-name='nspmDistributionPassword'] operation-data Add payload data to password operations add add add-attr[@attr-name='nspmDistributionPassword'] modify-password modify modify-attr[@attr-name='nspmDistributionPassword'] Publish Passwords Block publishing passwords to IDM data store when adding a object false add Block sending modify-password changes to the IDM data store false modify-password On User add, provide default password of Dirxml1 if none exists add User Dirxml1 Publish passwords to NMAS distribution password Add nspmDistributionAttribute attribute to add operation true add Change modify-password operations to a modify true modify-password pwd-publish Publish passwords to NDS password Block publishing passwords to NDS password false add Block sending modify-password changes to the NDS password false modify-password User add User \ Group add Group \ \ Priv add OrclPriv \ \ -Priv- Set Local Variables OrclPriv \ Set GranteeDN if Group contains($granteeDN,$grantee) ADD Priv for User or Group OrclPriv add \ \ DEL Priv for User or Group OrclPriv delete \ \ Transform Delete User into Remove from Group User delete \ grp User: Match on CN add User Group Match on CN add Group Priv Match on OrclGrantee, OrclGrantedRole add OrclPriv Payloads for subscribe to password changes Add operation-data element to password operations add operation-data modify-password operation-data Add payload data to a reset password from a failed password publish operation modify-password self::modify-password[@event-id = 'pwd-publish-failed'] Add payload data to password operations add modify-password self::modify-password[@event-id != 'pwd-publish-failed'] Subscribe to password changes Block subscribing to passwords when objects are added false add Block subscribing to password modifications false modify-password On User add, provide default password of Dirxml1 if none exists add User Dirxml1 Transform NMAS attribute to password elements Convert adds of the nspmDistributionPassword attribute to password elements add Block modifies for failed password publish operations if reset password is false false modify modify-attr[@attr-name='nspmDistributionPassword' and @failed-sync='true'] Convert modifies of a nspmDistributionPassword attribute to a modify password operation modify pwd-subscribe Block empty modify operations modify modify-attr User: Veto if not for driver's SID User \META\ca\novl\Oracle\Ora10gR2grp Group: Veto if not for driver's SID Group Ora10gR2 User: Add association User PK_USERNAME= ,table=VIEW_ORCLUSERS,schema=idmUser Group Add association Group PK_ROLE= ,table=VIEW_ORCLROLES,schema=idmUser test @source="Oracle" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Unable to create role. Missing 'OrclRole' value or 'OrclSID' not equal to '~ConnectedSystemName~'. 0 0 password-set-operation CREATE ROLE SELECT pk_ROLE FROM view_ORCLROLES WHERE pk_ROLE = {$pk_ROLE} Unable to drop role. Unable to retrieve role info or SID not equal to "~ConnectedSystemName~". 0 DROP ROLE CASCADE We are in the Sub-CT stylesheet Role Membership for User Group corresponds to a Oracle role Group does not correspond to a Oracle role Group does not correspond to a Oracle role We are in the Sub-CT stylesheet Role Membership for Group Group corresponds to a Oracle role Group does not correspond to a Oracle role Group corresponds to a Oracle role Group does not correspond to a Oracle role Add roles to Database user 0 0 password-set-operation GRANT TO remove a Oracle role membership for User 0 0 password-set-operation REVOKE FROM Verify if removed Group is MyDBGrp. Removed Group is: User must be removed from Oracle DROP USER CASCADE 0 0 password-set-operation GRANT TO 0 0 password-set-operation REVOKE FROM Global variable 'replica-value' is undefined or is set to an illegal value '~replica-value~'. We are in the Sub-CT stylesheet Role Membership for @source=Oracle BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB We are in the Sub-ET for a Job event We are in the stylesheet Sub-Clock2 for a clock tick for Accounts SELECT pk_USERNAME FROM view_ORCLUSERS Log the list of Oracle Users Account has been removed from Oracle : There are no deleted Oracle users for this instance Account has been added to Oracle : There are no new Oracle users for this instance We are in the stylesheet Sub-Clock2 for deactivating an account Account has been removed from Oracle We are in the stylesheet Sub-Clock2 for activating an account Account has been added to Oracle Create user event in eventlog INSERT INTO idmUser.DIRECT_PROCESS (record_id, event_type, perpetrator, table_name, table_key) VALUES(idmUser.seq_log_record_id.nextval, 5, 'fake', 'view_ORCLUSERS', 'pk_USERNAME= ') We are in the stylesheet Sub-Clock2 for a clock tick for Roles SELECT pk_ROLE FROM view_ORCLROLES Log the list of Oracle Roles ~ConnectedSystemName~ Role has been removed from Oracle : There are no deleted Oracle Roles for this instance Role has been added to Oracle : There are no new Oracle Roles for this instance We are in the stylesheet Sub-Clock2 for deactivating a role Role has been removed from Oracle We are in the stylesheet Sub-Clock2 for activating a Role Role has been added to Oracle Create Role event in eventlog INSERT INTO idmUser.DIRECT_PROCESS (record_id, event_type, perpetrator, table_name, table_key) VALUES(idmUser.seq_log_record_id.nextval, 5, 'fake', 'view_ORCLROLES', 'pk_ROLE= ') We are in the stylesheet Sub-Clock2 for a clock tick for Privs SELECT pk_GRANTEE ||'-Priv-' || pk_GRANTED_ROLE PRIV FROM view_ORCLPRIVS Log the list of Oracle Privs OrclPriv Priv has been removed from Oracle : There are no Oracle Privs for this instance Priv has been added to Oracle : There are no new Oracle Privs for this instance We are in the stylesheet Sub-Clock2 for Deactivating a Priv Priv has been added to Oracle Create Priv event in eventlog INSERT INTO idmUser.DIRECT_PROCESS (record_id, event_type, perpetrator, table_name, table_key) VALUES(idmUser.seq_log_record_id.nextval, 4, 'fake', 'view_ORCLPRIVS', 'pk_GRANTEE= +pk_GRANTED_ROLE= ')