Policies
Policies control data synchronization between Active Directory and an Identity Vault.
During the driver configuration, the Active Directory configuration file enables you to select several options that affect the default policies and filters created for you. The following table lists these options and how they affect policies and filters that are created:
|
Configure Data Flow establishes the filters on the Publisher and Subscriber channels. Bidirectional enables the same filters on both channels. Both channels receive the same set of default objects and attributes. AD to eDirectory places a restrictive filter so that attribute changes are not sent from the Identity Vault to Active Directory. eDirectory to AD places a restrictive filter so that attribute changes are not sent from Active Directory to the Identity Vault. |
|
Publisher Placement controls how objects are placed in the Identity Vault. Mirrored places objects in the Identity Vault in the same hierarchy as they exist in Active Directory. Flat places all objects in the base container in the Identity Vault specified during configuration. |
|
Subscriber Placement controls how objects are placed in Active Directory. Mirrored places objects in Active Directory in the same hierarchy as they exist in the Identity Vault. Flat places all objects in the base container in Active Directory specified during configuration. |
The following table lists default policies and describes how selections during configuration affect the polices:
Create
Matching
Placement |
In either the mirrored or flat hierarchy, you must define Full Name to create an Active Directory user as a user in the Identity Vault. In a mirrored hierarchy, the matching policy attempts to match an object in the same position in the hierarchy. In a flat hierarchy, the matching policy attempts to match the user with an object that has the same Full Name in the base container that you specify. In a mirrored hierarchy, the placement policy places all objects in a hierarchy that mirrors the hierarchy of the data store sending the operation. In a flat hierarchy, the placement policy places all objects in the base container that you specify. |
Schema Mapping
The following Identity Vault user, group, and Organizational Unit attributes are mapped to Active Directory user and group attributes.
The mappings listed in the tables are default mappings. You can remap same-type attributes.
Attributes Mapped for All Classes
CN |
cn |
Description |
description |
Facsimile Telephone Number |
facsimiletelephoneNumber |
Full name |
displayName |
Given Name |
givenName |
Initials |
initials |
Internet EMail Address |
mail |
L |
physicalDeliveryOfficeName |
Locality |
locality |
Login Disabled |
dirxml-uACAccountDisabled |
Login Expiration Time |
accountExpires |
Physical Delivery Office Name |
l |
Postal Code |
PostalCode |
Postal Office Box |
postOfficeBox |
S |
st |
SA |
streetAddress |
See Also |
seeAlso |
Surname |
sn |
Telephone Number |
telephoneNumber |
Title |
title |
eDirectory's L attribute is mapped to Active Directory's physicalDeliveryOfficeName attribute, and eDirectory's Physical Delivery Office Name attribute is mapped to Active Directory's L attribute. Because similarly named fields have the same value, mapping the attributes this way enable the attributes to work well with ConsoleOne and the Microsoft* Management Console.
Attributes Mapped for Users
CN |
userPrincipalName
cn |
DirXML-ADAliasName |
sAMAccountName |
Login Allowed Time Map |
logonHours |
Mapped Organizational Unit Attributes
Organizational Unit |
organizationalUnit |
OU |
ou |