1.2 Configuration Overview

This section discusses driver configuration details specific to the i5/OS driver. For basic configuration information, see the Identity Manager 3.5.1 Administration Guide on the Identity Manager 3.5.1 Documentation Web site. For detailed information about configuring the i5/OS driver, see Section 6.0, Configuring the i5/OS (OS/400) Driver.

1.2.1 Data Flow

Filters and policies control the data flow of users and groups to and from the connected system and the Identity Vault. The Data Flow option, specified during driver import, determines how these filters and policies behave.

  • Bidirectional: Sets classes and attributes to be synchronized on both the Subscriber and Publisher channels.

  • Application to Identity Vault: Sets classes and attributes to be synchronized on the Publisher channel only.

  • Identity Vault to Application: Sets classes and attributes to be synchronized on the Subscriber channel only.

1.2.2 Filter and Schema Mapping

Attributes of i5/OS profiles that correspond to attributes of eDirectory™ User and Group objects are mapped by the default driver filter and the schema mapping policy. The i5/OS driver provides a file ( i5os.sch) that you can use to add auxiliary classes to eDirectory User and Group objects to support many more i5/OS user and group attributes.

The Metadirectory engine uses filters to control which objects and attributes are shared. The default filter configuration for the i5/OS driver allows objects and attributes to be shared as described in Table 1-2 and Table 1-3.

The eDirectory class User corresponds to the i5/OS class UserProfile.

Table 1-2 Default eDirectory User to i5/OS UserProfile Mapping

eDirectory User Attribute

i5/OS UserProfile Attribute

CN

USRPRF

Description

TEXT

company

CMPNY

Facsimile Telephone Number

FAXTELNBR

Full Name

FULNAM

Given Name

FSTNAM

Home Directory

HOMEDIR

Login Disabled

STATUS

Postal Address

ADDR1

preferredName

PREFNAM

Telephone Number

TELNBR1

UID

UID

departmentNumber

DEPT

Initials

INITIALS

Title

TITLE

Password Expiration Interval

PWDEXPITV

Surname

LSTNAM

Generational Qualifier

GENQUAL

Group Membership

GroupMembership

nspmDistributionPassword

PASSWORD

The eDirectory class Group corresponds to the i5/OS class GroupProfile.

Table 1-3 Default eDirectory Group to i5/OS GroupProfile Mapping

eDirectory Group Attribute

i5/OS GroupProfile Attribute

CN

USRPRF

Description

TEXT

Member

Members

GID

GID

NOTE:GroupMembership and Members are virtual attributes used to populate the i5/OS GRPPRF and SUPGRPPRF user profile fields when the driver is configured to synchronize group membership.

1.2.3 Policies

The Metadirectory engine uses policies to control the flow of information into and out of the Identity Vault. The following table describes the policy functions for the i5/OS driver in the default configuration:

Table 1-4 Default i5/OS Driver Policy Functions

Policy

Description

Mapping

Maps the Identity Vault User and Group objects and selected attributes to an i5/OS user or group.

Publisher Event

None is provided.

Publisher Matching

Restricts privileged accounts and defines matching criteria for placement in the Identity Vault.

Publisher Create

Defines creation rules for users and groups before provisioning into the Identity Vault.

Publisher Placement

Defines where new users and groups are placed in the Identity Vault.

Publisher Command

Defines password publishing policies.

Subscriber Matching

Defines rules for matching users and groups in the connected system.

Subscriber Create

Defines required creation criteria.

Subscriber Command

Transforms i5/OS attributes and defines password subscribing policies.

Subscriber Output

Sends e-mail notifications for password failures and converts information formats from the Identity Vault to the connected system.

Subscriber Event

Restricts events to a specified container.