Identity Manager uses filters on the Publisher and Subscriber channels to control which objects are synchronized and to define the authoritative data source for these objects.
The default filters are illustrated in Filters. Use the following procedure to make changes to the default.
In iManager, select > .
Locate the driver in its driver set.
Click the driver to open the page.
Click the Publisher or Subscriber filter icon and make the appropriate changes.
The Publisher filter must include the Identity Vault mandatory attributes. The Subscriber filter must include the LDAP server required attributes.
For every object and attribute selected in the filter, the Mapping policy must have a corresponding entry unless the class or attribute names are the same in both directories. Before mapping an attribute, verify that a corresponding attribute actually exists in the target directory.
Click .
Different LDAP servers have different schemas. When the driver is first started, it queries the server for the specific schema.
You must be familiar with the characteristics of directory attributes and the LDAP server attributes. The driver handles all LDAP attribute types (cis, ces, tel, dn, int, bin). It also handles the eDirectory Facsimile Telephone Number.
When mapping attributes, follow these guidelines:
Verify that every class and attribute specified in the Subscriber and Publisher policies is mapped in the Mapping policy unless the class or attribute names are the same in both directories.
Before mapping a directory attribute to an LDAP server attribute, verify that an LDAP server attribute actually exists. For example, the Full Name attribute is defined for a User object on an Identity Vault but fullname doesn’t exist in an inetOrgPerson object on Netscape.
Always map attributes to attributes of the same type. For example, map strings attributes to strings attributes, octet attributes to binary attributes, or telenumber attributes to telenumber attributes.
Map multivalue attributes to multivalue attributes.
The driver doesn’t provide data conversion between different attribute types or conversions from multivalue to single-value attributes. The driver also doesn’t understand structured attributes except for Facsimile Telephone Number and Postal Address.
Identity Manager is flexible about the syntax that it accepts coming in from the Publisher:
Accepting Non-Structured/Non-Octet Syntax: Identity Manager accepts any non-structured/non-octet syntax for any other non-structured/non-octet syntax as long as the actual data can be coerced to the appropriate type. That is, if the Identity Vault is looking for a numeric value, the actual data should be a number.
Coercing the Data to Octet: When Identity Manager is expecting octet data and gets another non-octet/non-structured type, Identity Manager coerces the data to octet by serializing the string value to UTF-8.
Coercing the Data to a String: When Identity Manager is passed octet data and another non-structured type is expected, Identity Manager coerces the data to a string by decoding the Base64 data. Identity Manager next tries to interpret the result as a UTF-8 encoded string (or the platform’s default character encoding if it is not a valid UTF-8 string) and then applies the same rules as Accepting Non-Structured/Non-Octet Syntax.
FaxNumber: For faxNumber, if a non-structured type is passed in, Accepting Non-Structured/Non-Octet Syntax and Coercing the Data to a String are applied to the data to get the phone number portion of the fax number. The other fields are defaulted.
State: State. For state, False, No, F, N (in either upper or lowercase), 0 and “” (empty string) are interpreted as False, and any other value is interpreted as True.
To configure the Schema Mapping policy:
In iManager, click > .
Locate the driver in its driver set.
Click the driver to open the Identity Manager Driver Overview page.
Click the schema mapping icon on the Publisher or Subscriber channel.
Edit the policy as appropriate for your setup.
We recommend following the Netscape naming rules for objects in Netscape Directory Server. A brief explanation of naming rules is included here for your convenience.
The directory contains entries that represent people. These person entries must have names. In other words, you must decide what the relative distinguished name (RDN) is for each person entry. The DN must be a unique, easily recognizable, permanent value. We recommend that you use the uid attribute to specify a unique value associated with the person. An example DN for a person entry is:
uid=jsmith,o=novell
The directory also contains entries that represent many things other than people (for example, groups, devices, servers, network information, or other data). We recommend that you use the cn attribute in the RDN. Therefore, if you are naming a group entry, name it as follows:
cn=administrators,ou=groups,o=novell
The directory also contains branch points or containers. You need to decide what attributes to use to identify the branch points. Because attribute names have a meaning, use the attribute name with the type of entry it is representing. The Netscape recommended attributes are defined as follows:
Table 5-2 Netscape Recommended Attributes
|
Attribute Name |
Definition |
|---|---|
|
c |
Country name |
|
o |
Organization name |
|
ou |
Organizational Unit |
|
st |
State |
|
l |
Locality |
|
dc |
Domain Component |
A Subscriber Placement policy specifies the naming attribute for a classname. The following example is for the User classname. The <placement> statement specifies that uid is used as the naming attribute.
<placement-rule> <match-class class-name="User"/> <match-path prefix="\Novell-Tree\Novell\Users"/> <placement>uid=<copy-name/>,ou=People,o=Netscape</ placement> </placement-rule>
The following Subscriber Placement specifies that ou is used as the naming attribute for class-name Organizational Unit.
<placement-rule> <match-class class-name="Organizational Unit"/> <match-path prefix="\Novell-Tree\Novell\Users"/> <placement>ou=<copy-name/>,ou=People,o=Netscape</placement> </placement-rule>
To configure a placement policy:
In iManager, > .
Locate the driver in its driver set.
Open the Identity Manager Driver Overview page by clicking the driver.
Click the Publisher or Subscriber Placement policy icon, then make the appropriate changes.
Click .
Because group attributes are different in an Identity Vault and Netscape Directory Server, some special processing is required by the driver. On the Publisher channel, special processing takes place when the driver sees the attribute uniquemember in the classname groupofuniquenames.
The driver also sets the attribute Equivalent To Me in the eDirectory Group. The attribute Equivalent To Me must be included in the Publisher filter. The attribute Equivalent To Me need not be in the Schema Mapping policy because the eDirectory attribute name is used. There is no equivalent attribute name in Netscape Directory Server. No special processing is required on the Subscriber channel.