The Red Hat Directory Server can be chosen as your "Identity System" during installation of product which means it will be leveraged as your primary Identity (LDAP) store.
The Identity functionalities of this connector enable you as an Identity administrator to configure Fedora Directory Server as a connected system and then make Identity users part of the Fedora Directory Server system. This enables the user or Identity administrator to reset Fedora Directory Server account passwords. This also enables you to enable and disable user accounts.
Functionalities
Fischer's Red Hat Directory Server integration supports the following functionality:
Identity Integration
Product Feature | Supported |
---|---|
Validate User | Yes |
Enable/Disable User | Yes |
Reset Password | Yes |
Expire Password Immediately | Yes |
Expire Password by Date | Yes |
Authenticate (Test Connection) | Yes |
Provisioning Integration
Profiles | Export |
Create | Modify | Delete | Trigger |
---|---|---|---|---|---|
ChangeLog | Yes | No | No | No | No |
Profiles | Yes |
Yes | Yes | Yes | Yes |
Prerequisites
Ensure that these prerequisites are satisfied:
- Red Hat Directory Server 10.X is installed, configured, and running.
- An administrator account that can be used to establish a connection and has authority to manage accounts on the connected system.
Creating and Managing the Connected System
Connected system can be managed from both Admin UI and Workflow and Connectivity studio. The step by step explanation to create is provided in the following sub sections. Clicking on the connected system from the listing page(admin UI)/selecting the desired system and clicking on View button(Studio) will take you to a detail page where you can can manage the connected system.
Creating from Admin UI
Log in to Identity Administration and click the Systems tab.
-
On the Connected System View page, click the Add button and select the Red Hat Directory Server connected system from the Type drop-down list. The Connected System Details page displays the default values:
-
Enter the desired information:
Definition Type
Select the connected system type.Locale
Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.Name
The name for this connected system. Note: The name cannot be modified later.Display Name
The display name of the new connected system.Description
The description of the connected system.Associated With
Select how the connector associated with this system will run:- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
- See Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By
Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users:- OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option
Select the provisioning option:- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support
Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.Enable Transfer of Accounts
Select to make the transfer of Accounts enabled (default cleared).Connection Information Host
The IP address or host name of the server (e.g., 10.102.200.20 or localhost). Multiple hosts are supported by using a space-separated list of host names (e.g., abc.example.comexample2.com:391 example3.com). The first server in the list that accepts the connection is used.Port
The LDAP port number of the server.Service Account Name
The name of the administrative user account used to connect to the server. The Select button displays the Fetch DN window to select the DN value. See Step 4. for details on using the Select button. Note: If an anonymous bind is enabled in the LDAP server, the required LDAP entry can be selected even if the Service Account Name and Service Account Password are not entered.Service Account Password
The administrative user password.Use Secure Connection
Check this box if the connection is to be SSL-enabled.Note: This connector uses the Java keystore for SSL communication with the system. See Configuring SSL for Fischer for additional information about enabling SSL.
LDAP Connection Timeout
Select the LDAP connection timeout value:- 0 - There is no time out.
- -1 - Use the system default.
Enable LDAP Connection Pool
Check this box to enable connection pooling. Note: The properties that control the pool size, etc. are controlled globally under Admin UI _ Configuration tab _ Configuration Function Menu item _ Modify Configuration for _ Global Settings, and impact all LDAP systems.User Search Information Base DN
The rootDN of the Directory Information Tree (DIT). The Select button displays the Fetch DN window to select the DN value. See Step 4. for details on using the Select button.User Base DN
The base DN where the users are located. The Select button displays the Fetch DN window to select the DN value. See Step 4. for details on using the Select button.User Object Classes
The object class for the user profile.User Department Attribute
The attribute to use for the user’s department.Entitlement Search Information Entitlement Query 1
Specifies assignment of a role to an explicit enumerated list of members. The query can be modified to return other entries if there is a custom object class for group or roles. The default is (objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition).Entitlement Query 2
Defines entries that represent an unordered set of names whose integrity can be assured and that represent individual objects or other groups of names. The query can be modified to return other entries if there is a custom object class for group or roles. The default is (objectClass=groupOfUniqueNames).Configuration Details Login ID Attribute
The attribute that contains the login ID value.Password Attribute
The attribute that contains the password value.Password Expiration Support Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None, Immediate, or Immediate with Date.Note: If Immediate with Date is selected, Immediate is also available.
The Detect button creates a connection to the connected system using current configuration settings. The connector then attempts to determine correct values for the settings, which are auto-detected, and then these settings are updated with detected values.
System Owner
Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.Add PswdPolicy / Remove PswdPolicy
Adds/removes a password policy to/from this connected system. If the connected system is associated with a Connected System Group, the buttons will be unavailable - all password policy assignments are defined at the group level (refer to Admin UI _ Systems _ Groups option). -
Click a Select button to select the DN value. The Fetch DN window displays. Click Select to add the selected base DN.
Element Search Base
Click the Fetch button to retrieve the base DN entry to use for searches. If there is more than one search base, all entries display and can be selected from the drop-down list.Fetch
Retrieves the base DNs for the selected connected systems.Selected DN
The default DN value of the selected attribute.Filter
Changes the filter used for searching to narrow the scope and return more specific results.Build Directory Tree
Builds the directory tree of the selected DN.Search Tree
Click a section of the Search Tree to use in an entitlement search.Select
Adds the selected base DN. -
Click the Test Connection button to test the Connection Information:
- If successful, one or both of these messages may display:
Message: Connection from Provisioning to the connected system was established successfully.
Message: Connection from Identity to the connected system was established successfully.- If unsuccessful, one or both of these messages may display:
Error: Failed to establish connection from Provisioning to the connected system.
Error: Failed to establish connection from Identity to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs. -
(Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
-
Select the owners and then click the Select button. The system owner displays under the System Owner section:
Note: More than one user can be assigned as an owner.
To add additional system owners, click the Add button.
-
- On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 8.
Click the Add Association button to associate the selected object categories to the connected system.
Click the Back button to return to the Connected System View page. The new connected system displays in the list.
See the appendix Copying, Modifying, and Deleting Connected Systems for additional information.
Creating from Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the Red Hat Directory Server connected system from the Type drop-down list. The default values display.
-
Enter the desired information:
Definition Type
Select the connected system type.Name
The name for this connected system. Note: The name cannot be modified later.Display Name
The display name of the new connected system.Description
The description of the connected system.Supported Connectors
Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here.Associated With
Select how the connector associated with this system will run:- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
Password Reset By
Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users:- OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option
Select the provisioning option:- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support
Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.Connection Information Host
The IP address or host name of the server (e.g., 10.102.200.20 or localhost). Multiple hosts are supported by using a space-separated list of host names (e.g., abc.example.comexample2.com:391 example3.com). The first server in the list that accepts the connection is used.Port
The LDAP port number of the server.Service Account Name
The name of the administrative user account used to connect to the server. The Select button displays the Select DN from LDAP Directory window to select the DN value.Service Account Password
The administrative user password.Use Secure Connection
Check this box if the connection is to be SSL-enabled.Note: This connector uses the Java keystore for SSL communication with the system. See the guide Configuring SSL for additional information about enabling SSL.
LDAP Connection Timeout
Select the LDAP connection timeout value:- 0 - There is no time out.
- -1 - Use the system default.
Enable LDAP Connection Pool
Check this box to enable connection pooling. Note: The properties that control the pool size, etc. are controlled globally under Admin UI _ Configuration tab _ Configuration Function Menu item _ Modify Configuration for _ Global Settings, and impact all LDAP systems.User Search Information Base DN
The rootDN of the Directory Information Tree (DIT). The Select button displays the Select DN from LDAP Directory window to select the DN value.User Base DN
The base DN where the users are located. The Select button displays the Select DN from LDAP Directory window to select the DN value.User Object Classes
The object class for the user profile.User Department Attribute
The attribute to use for the user’s department.Entitlement Search Information Entitlement Query 1
Specifies assignment of a role to an explicit enumerated list of members. The query can be modified to return other entries if there is a custom object class for group or roles. The default is (objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition).Entitlement Query 2
Defines entries that represent an unordered set of names whose integrity can be assured and that represent individual objects or other groups of names. The query can be modified to return other entries if there is a custom object class for group or roles. The default is (objectClass=groupOfUniqueNames).Configuration Details Login ID Attribute
The attribute that contains the login ID value.Password Attribute
The attribute that contains the password value.Password Expiration Support Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None, Immediate, or Immediate with Date. Note: If Immediate with Date is selected, Immediate is also available.The Detect button creates a connection to the connected system using current configuration settings. The connector then attempts to determine correct values for the settings, which are auto-detected, and then these settings are updated with detected values.
- Click the Connect button to test the Connection Information:
- If successful, one or both of these messages may display:
Connection from Studio to the connected system was established successfully.
- If unsuccessful, one or both of these messages may display:
Failed to establish connection from Studio to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.
-
Click the Apply button to apply changes. The Category Association window displays.
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
Click the Add button to associate the selected object categories to the connected system.
Click OK to accept selected categories.
See the Copying, Modifying, and Deleting Connected Systems for additional information.
Using the Connected System for Identity
Perform these procedures to configure the connector:
- Connector Details for Identity
- Identity Password Management
Connector Details for Identity
Field | System Attribute | Example Value |
---|---|---|
Login ID | cn | Betty Lane |
Account ID | dn | cn=Betty Lane,ou=People,dc=example,dc=com |
Identity Password Management
See the User Management for details on password management.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
- Configuring for Export
- Configuring for Import
- Connector Details for Provisioning
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
Configuring for Export
Perform these procedures to configure the connector for data export:
- "Configuring the Export Connector" below
- "Configuring the Export Link" on page 36
From the Workflow and Connectivity Studio, select the 389 Directory Server UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System
Select the connected system from the list. The export operation will be done from this connected system.Data Formats
Select the type of data format to use: Profiles (default) or ChangeLog.DeltaExportMode Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):
- OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.
- ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.
- AllAttributes - Performs a full export of all attributes that contain a value.
DynamicConnectedSystem
Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.DynamicConnectedSystemOption
Select how to control Dynamic System Support (DSS):- None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
ExecuteGIGAssociatedTaskAsynchronously
Property which controls execution mode for GIG associated tasks. If this property is true and the task connected system has GIG association, task is executed asynchronously. If this property is false, GIG associated tasks will execute asynchronously with a blocking call. This blocking call can result in timeout issues if the task takes more time than the SOAP call timeout. This property is ignored if there is no GIG association or task is executed from Studio.ExportDN Select the distinguished name in the LDAP directory where the connector will begin to locate entries. Entries in this container (default: ou=People,dc=example,dc=com) will be exported based on the type of filter specified. When using this option, do not specify a value for ReadDN. See Step 3. for details on using the Select button that becomes active for this property. ExportMode
Select the type of data to export:- FullExport - Exports all attributes.
- DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
Filter
Specify search criteria to determine the objects to be exported from the container specified in ExportDN. Use the Set Filter button that becomes active to create a filter. See "Set Filter" on page 34 for additional information.MaxResults
Select the maximum number of results to be returned (default: 1000).ReadDN
Specify that only the attributes of a single entry are read. For example, to read attributes for a single user, enter the fully qualified distinguished name (DN) of the user entry (e.g., cn=Betty Lane,ou=Sales,dc=example,dc=com) as the ReadDN value. The ExportDN and Filter settings, if specified, are ignored if a ReadDN value is specified. Use the Select button to build the directory and select a specific DN value to read.RefinementSubtreeDN
Specify the subtree DN to use for refinement if the change is of interest. The targetDN value from the ChangeLog will be used to determine if this change meets the criteria outlined in this setting. If it is not set, there will not be any refinement and all changes will be considered as valid data (default: dc=example,dc=com).ResultsPerPage
Select the maximum number of results per page (default: 500).Scope Select the number of levels below the ExportDN to begin searching for possible entries to be exported:
- AllLevels (default) - Searches all entries and all levels below the DN entry specified by ExportDN.
- OnlyDN - Searches only the DN entry specified by ExportDN.
- OneLevel - Searches all entries one level below the DN entry specified by ExportDN.
SortKey
Specify the attribute name to use to sort results. If sorting is required on multiple attributes, list them in a comma delimited format (e.g., cn, sn). Sorting on DN is not supported.UseLdapServerPaging
Select whether to use LDAP server paging (default: TRUE).Note: Hover the pointer over a property to view its description.
Select DN
- For the ExportDN, click the Select button that becomes active, to modify the DN value. The Select DN from LDAP Directory window displays.
-
Click the Settings button. The Select DN From LDAP Directory Settings window displays to specify criteria used to retrieve entries from the LDAP directory and to build the export list:
Element Selected DN
The default DN value of the selected attribute.Build Directory Tree
Builds the directory tree of the selected DN.Settings
Enter the base DN or suitable DN as a search base.Connected System
The connected system that the DN entry will be selected from.Search Base
Click the Fetch button to retrieve the base DN entry to use for searches. If there is more than one search base, all entries display and can be selected from the drop-down list.Fetch
Retrieves the base DNs for the selected connected systems.Filter
Changes the filter used for searching to narrow the scope and return more specific results (default: objectClass=organizationalUnit).Set
Displays the Set Filter window to create search criteria to narrow the scope and return more specific results (see "Set Filter" on page 34). -
Enter the required text in the Search Base field or click the Fetch button to set the search base.
Set Filter
- Enter the required text in the Filter field or click the Set button to set the search filter. The Set Filter window displays.
- Select the Attribute of the filter (e.g., objectClass, ou, sn). This represents the attribute name for searching the Fedora Directory Server directory.
- Select the Comparison operator value for this filter.
- Enter the required result Value, for example: Sales. The results are those entries that have an ou (organizationalUnit - department) Equal to Sales. If an entry has an ou Equal to Marketing, that entry is excluded based on the above filter.
- Using logical AND/OR, generate the complex filter to narrow the search result.
Select the Edit Filter Manually check box to manually edit the filter in the Filter Syntax field to build complex filters.
Click OK when complete to return to the Configure Data Source window.
-
(Optional) Select the Attributes tab. Only standard attributes display:
Modify schema attributes using these buttons.Description Add
Adds additional attributes to the list. The Add New Attribute dialog displays.Export
Exports the schema list to an XML file.Import
Imports the schema list from an XML file.Refresh Schema
Dynamically discovers the schema from the target LDAP system. It also includes local as well as global attributes added in the Studio.Reset Schema
Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added. - Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
-
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Export Link
-
In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
When the export property ExportMode has been selected as type DeltaExport, the Key Attribute field and buttons display:
Description Source Attributes
Select the attributes to export.Check mandatory attributes for delta export.
These attributes that are selected work in conjunction with the trigger attribute selection option Attribute level modify type is required. If this option is selected, for the Original_<attribute name> to be available in the Data Mapper object, the attributes selected in the trigger must also be selected in the DataHub object. See Attribute level modify type is required in the section Configuring a Trigger Link.Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes.
Notes: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.Format
Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.
Notes:- The Format button is only enabled for date attributes.
- The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings
Displays the Configure Attributes window for configuring advanced settings for attributes. See the Configure Attributes window on page 39 for additional information.Key Attribute
Select the attribute to use as the unique key value for comparing data during delta export.Note: The Key Attribute field and buttons are only displayed when the export property ExportMode has been selected as type DeltaExport.
- From the Attribute Selection tab, select attributes to export.
- (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
- Select the Include Time check box to add the timestamp with the date.
- Select the 24 Hour or 12 Hour option button and then select the required date/time format.
- Click OK to save the selected format. The Configure Link window displays.
- (Optional) Click the Advanced Settings button. The Configure Attributes window displays:
Note: The Atomic Changes on Delta Export column displays only when the export property ExportMode has been selected as type DeltaExport.
- Under the Encrypted column, check the box of any Attribute Name to encrypt the value in the export data.
- Under the Atomic Changes on Delta Export column, check the box of any Attribute Name to have atomic changes result in delta entries with modifytypes of add and delete.
- Click OK to save the attribute selection. The Configure Link window displays.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
- Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
Configuring for Import
Perform these procedures to configure the connector for data import:
- Configuring the Import Connector
- Configuring the Import Link
From the Workflow and Connectivity Studio, select the Red Hat Directory Server UserAdd, UserModify, or UserDelete workflow listed under the projects folder.
If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio documentation for details on creating import workflows.
Configuring the Import Connector
- In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System
Select the connected system from the list. The import operation will be done to this connected system.Data Formats
Select the type of data format to use: Profiles (default) or ChangeLog.accountDN *
Select the attribute to use for connected system association.AddDiffWithTarget
If set to TRUE (default: FALSE), the target DN attributes are compared with the incoming modified attributes. Only the new attribute values are added. Other attributes are not updated. Note: If the target attribute is a multi-valued attribute, these must be set to TRUE: DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget.AddIfEntryNotExists
Select whether to create an entry if the entry does not already exist (default: FALSE).DiffWithTarget
Select whether the attribute sets are compared:- TRUE - The target DN attributes are compared with the incoming modified attributes. Only those attributes that have different values are modified. Unchanged attributes are discarded and not updated. If a new attribute is present, other than in the target DN attributes, it is added.
- FALSE (default) - The target DN attributes are not compared with the incoming modified attributes. All attributes are updated whether they have a changed value or not.
DiffWithTargetCaseSensitive
Select whether the attribute comparison in DiffWithTarget is done case-sensitively (default: TRUE).DynamicConnectedSystem
Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.DynamicConnectedSystemOption
Select how to control Dynamic System Support (DSS):- None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.
ExecuteGIGAssociatedTaskAsynchronously
Property which controls execution mode for GIG associated tasks. If this property is true and the task connected system has GIG association, task is executed asynchronously. If this property is false, GIG associated tasks will execute asynchronously with a blocking call. This blocking call can result in timeout issues if the task takes more time than the SOAP call timeout. This property is ignored if there is no GIG association or task is executed from Studio.Id *
Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system.ImportDN
The Distinguished Name (DN) in the LDAP directory where the connector will add entries during the import process if the dn attribute is not specified (default: ou=Imported Users,o=PQR,c=US). See Step 3. for details on using the Select button that becomes active for this property.loginId *
Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system.MaxConcurrentEntryProcessing
Specify the maximum number of entries to be processed concurrently. For each concurrent process, the connector creates new resource threads and connections. Therefore, it is important to set this property based on resource availability. When the MaxConcurrentEntryProcessing property is set, multiple entries are processed in parallel, thereby reducing the time taken for bulk import tasks.ModifyIfEntryExists
Select whether to perform a modify operation if an add operation fails (default: FALSE).RDN
Select the attribute name to use when creating the Relative Distinguished Name (RDN) when adding entries to the local LDAP directory. When importing entries into the local LDAP directory, this specifies the attribute to use when creating the DN for the new imported entries (default: cn).RemoveDiffWithTarget
Select whether to remove attributes from the target entry that do not exist in the modified data (default: FALSE).Notes:
* accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Hover the pointer over a property to view its description.Select DN
-
For the ImportDN, click the Select button that becomes active, to modify the DN value. The Select DN from LDAP Directory window displays.
Click the Settings button. The Select DN From LDAP Directory Settings window displays:
-
Enter the required text in the Search Base field or click the Fetch button to set the search base.
Set Filter
-
Enter the required text in the Filter field or click the Set button to set the search filter. The Set Filter window displays.
Using logical AND/OR, generate the complex filter to narrow the search result.
Click OK when complete to return to the Configure Data Source window.
Optional) Select the Attributes tab. Only standard attributes display:
Modify schema attributes with the buttons.- (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
-
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Import Link
-
In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
Source Attributes
Select the attributes to import.Check for attribute-level auditing.
If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes.Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The default attributes are those that are commonly used to create a new user.Advanced Settings
Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted.
Under the Diff With Target column, check the box of any attribute to update using differencing (DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget).Audit Key
Select the attribute to associate with the Audit Key. From the Attribute Selection tab, select attributes to import.
(Optional) Select the Appearance tab to change how the link displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio for details of deployment options.
Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
Connector Details for Provisioning
Configuration import properties accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Configuration Import Properties
id | dn |
---|---|
login id | cn |
accountDN (Directory Server only) | DN |
id | dn |
389 Directory server Connector Attributes
The items in the Export, Create, Modify, and Delete columns have these meanings:
- Y = Yes (attribute is supported for this operation)
- N = No (attribute is not supported for this operation)
- R = Required (attribute is mandatory for this operation)
CN | Y | R | Y | N | Common name of the user. |
---|---|---|---|---|---|
dn | Y | R | R | R | Distinguished name and key attribute for all operations. |
givenName |
Y | Y | Y | N | First name of the user. |
id | n | dn | dn | dn | User ID to the connected system. |
initials | Y | Y | Y | N | Middle name/initials of the user. |
Login id | N | cn | cn | cn | Login ID to the connected system. |
Y | Y | Y | N | User mail address. | |
objectclass | Y | R | Y | N | User object class such as top, person, organizationalPerson, inetOrgPerson. |
original_dn | N | N | R | N | Original_Distinguished name for rename operations. |
sn | Y | R | Y | N | Last name of the user. |
userPassword | N | R | Y | N | Password for the user account. |
CN | Y | R | Y | N | Common name of the user. |
Red Hat Directory Server Connector Attributes
CN | Y | R | Y | N | Common name of the user. |
---|---|---|---|---|---|
dn | Y | R | R | R | Distinguished name and key attribute for all operations. |
givenName |
Y | Y | Y | N | First name of the user. |
id | n | dn | dn | dn | User ID to the connected system. |
initials | Y | Y | Y | N | Middle name/initials of the user. |
Login id | N | cn | cn | cn | Login ID to the connected system. |
Y | Y | Y | N | User mail address. | |
objectclass | Y | R | Y | N | User object class such as top, person, organizationalPerson, inetOrgPerson. |
original_dn | N | N | R | N | Original_Distinguished name for rename operations. |
sn | Y | R | Y | N | Last name of the user. |
userPassword | N | R | Y | N | Password for the user account. |
CN | Y | R | Y | N | Common name of the user. |
Configuring Triggers
Perform these steps to create a trigger:
Prerequisites
Creating a Trigger
Configuring a Trigger Agent
Configuring a Trigger Link
Prerequisites
Ensure that these prerequisites are satisfied:
- Create a 389 Directory Server provisioning connector before creating a 389 Directory Server trigger (see the section Creating the Connected System in the Studio).
- Create and deploy workflows to be run by the Fedora Directory Server trigger. See the sections ‘Creating Workflows’ and ‘Deploying Workflows’ in the Workflow Development chapter in the Workflow and Connectivity Studio document for details.
Creating a Trigger
- From the Workflow and Connectivity Studio menu bar, click File ► New Trigger ► Red Hat Trigger. The Create a New Trigger window displays.
- Enter a trigger name in the Name field.
- Click the Browse button to select a directory other than the default displayed in the Directory field. The directory should be a child of the default location in order to have the trigger listed under the projects folder of the Workflow and Connectivity Studio.
- Select one of the available systems in the System field.
Note: Only connected systems of the trigger type selected in Step 2. will be available. If there are no connected systems to select, then a Fedora Directory Server provisioning connected system does not exist. This connected system must exist before creating a trigger.
Enter descriptive text in the Description field and then click OK. A new trigger system object and link display in the Design pane.
Note: The trigger must be fully configured before it can be saved and deployed. Continue with the sections below to complete configuring the trigger.
Configuring a Trigger Agent
- In the Design pane, double-click the trigger system. The Configure Data Source window displays.
Note: To modify an existing trigger, on the menu bar click View ► Triggers, and then select one of the 389 Directory Server triggers listed under the projects folder.
- Select the Associated Connected System from the drop-down list for the trigger.
-
Click the Trigger tab. The Configure Data Source window displays.
Configuration Subtree DN
Enter or select the subtree DN.Filter
Select the filter for the trigger to listen for changes. This can either be an object class from the drop-down list or use the Set Filter button to configure and select a complex filter. The trigger uses this filter to perform a persistent LDAP search on the directory and listen for changes see Set Filter.Trigger Scope
Select the level for the trigger to listen for changes:- AllLevels - In all sublevels.
- OneLevel (default) - In one sublevel.
- OnlyDN - In only the DN.
Paging Configuration LDAP Server Paging
Select the type of LDAP server paging to use during operations that involve a large number of entries:- None - No Server Side Paging.
- Virtual List View Control (default) - Server Side Paging using virtual list view control.
Results Per Page
Select the maximum number of results per page (default: 1000).SortKey
Specify the attribute name to use to sort results. If sorting is required on multiple attributes, list them in a comma delimited format (e.g., cn, sn). Sorting on DN is not supported. - Enter the subtree DN in the Subtree DN field or click the Select button to select where the trigger is to obtain data from changes in the directory. This will be the subtree DN.
- Click OK when complete.
- Select the Filter (or click the Set Filter button) to set the search filter.
- From the Trigger Scope drop-down list, select the level for the trigger to listen for changes.
- From the LDAP Server Paging drop-down list, select the type of LDAP server paging to be used.
- Click OK when complete.
- (Optional) Select the Attributes tab. Only standard attributes display:
Modify schema attributes with the bittons.
Note: Provisioning does not add the attribute to the system. Provisioning assigns the new entry to the schema reference file in Provisioning for mapping and internal purposes. This attribute schema should be made available in the system for Provisioning to perform mapping and other functions.
- (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Note: A trigger cannot be saved until a trigger link has been configured.
Configuring a Trigger Link
-
Double-click the link between the Start object and the Trigger system object. The Configure Link window displays.
Note: To modify an existing trigger, on the menu bar click View ► Triggers, and then select one of the 389 Directory Server triggers listed under the projects folder.Source Attributes
Select the attributes to export.Attribute level modify type is required
Check this box to create a reference file for this trigger under the trigger-runtime directory when the trigger is enabled after deployment. These checked attributes will always be exported whether they were changed or not and will be available as Original_<attribute name> and <attribute name>. This exports the directory tree where the trigger is listening based on the attribute selection and search scope when the trigger is enabled; it uses this reference file to find out which attribute(s) changed and the values for Original_<attribute name>. Only values of attributes selected are stored in this reference file.
If this check box is not selected and:- There are no mandatory attributes - The trigger will not do a full export and a reference file will not be created, so there will not be any Original_<attribute name> values available. All selected attributes, whether changed or not, will be available as the trigger data to the Target workflow.
- There are mandatory attributes (check the box of the selected attributes) - The reference file will be created for the mandatory attributes.
Note: If this Attribute level modify type is required check box is selected, for these attributes (Original_<attribute name>) to be available in the Data Mapper object, they must also be selected in the DataHub object (Check mandatory attributes for delta export). See Check mandatory attributes for delta export in the section Configuring the Export Link.
Use changelog to get change notifications
Check the box only if the LDAP server is configured with ChangeLog support. There is no reference file in this approach, making it fast, but Original_<attribute name> values are not available. The ChangeLog only provides the DN and the changed attributes and values.Only DN is required in the trigger data
Check this box only if the DN of the entry needs to be provided as the trigger data to the Target workflow.Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes.
Note: Check boxes in this field set mandatory attributes. These checked attributes will always be exported whether they were changed or not.Advanced Settings
Displays the Configure Attributes window for selecting any attributes that need to be encrypted.Set Unique Key
Sets which attribute from the Selected Attributes will make the entry unique.Clear Unique Key
Removes the current unique key attribute selection. No unique key attribute is defined after selecting this option.Effective Date
Select these effective date options:- Set - Sets an attribute from the selected attributes to apply an effective date offset to control when the triggered data is run. A condition can be provided that determines when or if an effective date offset should be applied. Set a condition and effective date offset from the Effective Date tab.
- Clear - Removes the selected attribute from being defined for effective date processing.
- Format - Specifies a desired date/time format to be applied to the selected effective date field. Any field type can be selected to apply a date/time format to the effective date value.
-
Select the attributes to be triggered from the Source Attributes. Any changes (add, modify, or delete) to the selected attributes will start the trigger.
-
Click the Effective Date tab and then click the Add button. The Set Trigger Data Condition window displays.
-
Set an Effective Date Offset value and specify a condition when it will be used:
- For triggers - All conditions specified here will be evaluated for each incoming data entry. The offset corresponding to the first condition that is satisfied will be applied to the date contained in the effective date attribute. An offset can be mapped to a condition that is specified as default. If none of the conditions in the list are satisfied, the offset corresponding to the default condition will be applied to the effective date.
For Chained workflows - From the Chained workflow Configure Data Source window, specify the attribute that should have an effective date condition and offset value applied. From the preceding Data Mapper, provide conditions and offset values to calculate the target effective date value and save this value to the effective date attribute as the target attribute.
- For triggers - All conditions specified here will be evaluated for each incoming data entry. The offset corresponding to the first condition that is satisfied will be applied to the date contained in the effective date attribute. An offset can be mapped to a condition that is specified as default. If none of the conditions in the list are satisfied, the offset corresponding to the default condition will be applied to the effective date.
Click OK when finished.
-
-
From the Target Workflow Selection tab, select the deployed workflow(s) to run when the trigger occurs, and then click the Add ► button.
To remove a selected workflow from being run, highlight it under Selected Workflows and click the < Remove button.
Notes:- If more than one workflow is selected, they are run in the order listed.
- If workflows are deployed in Asynchronous mode, all workflows are run together.
- If serialized execution of workflows is required, consider chaining them.
- Highlight a workflow from the Selected Workflows list and click the Set Condition button to set a condition before running workflows. The Set Lookup Condition window displays.
- Build a complex condition with logical AND/OR.
- Click OK to return to the Configure Link window.
- Build a complex condition with logical AND/OR.
- From the Lookup Workflow Selection tab, select the deployed workflow(s) to run when the trigger occurs, and then click the Add > button.
To remove a selected workflow from being run, highlight it under Selected Workflows and click the ◄ Remove button.
Notes:- Lookup may be required to get additional attributes to run Target workflows. Lookup workflows run prior to Target workflows.
- If more than one workflow is selected, they are run in the order listed.
- Lookup workflows must be deployed in Synchronous mode; otherwise, lookup data may not be available before running Target workflows.
Highlight a workflow from the Selected Workflows list and click the Set Primary button to set the primary workflow to be run.
-
Highlight a workflow from the Selected Workflows list and click the Set Condition button to set a condition before running Lookup workflows. The Set Lookup Condition window displays. Build a complex condition with logical AND/OR. Click OK to return to the Configure Link window.
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Save the trigger.
Deploy the trigger by clicking the
(deploy) toolbar button. The Deploy Trigger window displays:- Click the Deploy New button. The Deploy Trigger window displays:
- Click OK to deploy the trigger.
- Enable the trigger from the Server tab of the Admin UI.
See the Identity Suite Administration documentation for details on enabling triggers.
ChangeLog Export
The ChangeLog export process can be used as an alternative to the trigger approach. To use this feature, the Fedora Directory Server should be ChangeLog enabled. The ChangeLog export process reads a block of changes from the ChangeLog, parses the ChangeLog attribute to the actual LDAP attribute value, and passes it to the downstream task.
These processes occur when the workflow schedule is started the first time:
- If the Configure Plug-in property InitialChangeNumber value is specified, the export process uses this as the starting changeNumber (seed). The export process reads changes from changeNumber=InitialChangeNumber to changeNumber=InitialChangeNumber + MaxResults setting of the Configure Plug-in. Additionally, the host name and the port of the directory server will be retrieved from the directory server configuration. These three values make up a unique combination and are stored in a bookmark file (<task name>changelog.properties) in the workflows-instance folder on the server.
- If the Configure Plug-in property InitialChangeNumber value is not specified, the export process queries the highest changeNumber from the directory server. Additionally, the host name and the port of the directory server will be retrieved from the directory server configuration. These three values make up a unique combination and are stored in a bookmark file (<task name>changelog.properties) in the workflows-instance folder on the server. There is no export data because the highest number is the starting point.
On successive runs, the export process reads the bookmark file first and uses this number as the seed for export. If the bookmark file is not present, the export process is as mentioned above.
The ChangeLog export process does not read the data as a block using the search filter. Rather, it loops through each value from the seed until it reaches either the most recent number or the original number plus the MaxResults set in the configuration. While looping through each number, the connector performs an LDAP read. The DN of the read is InitialChangeNumber=X, ExportBaseDN. The ExportBaseDN value (default: cn=changelog) is used from the configuration of the connector.
When the looped read process is complete, the ChangeLog bookmark will be updated with the last ChangeLog number. Before the data is parsed, the target DN value is matched with the configuration property RefinementSubtreeDN setting to determine if this ChangeLog entry is important. If the data does not meet the refinement criteria, the change is discarded. This reduces unwanted data from being parsed. The data for the reads is parsed and placed into a single ROOT document. This reduces the number of workflow instances down the pipe.
The data is parsed and each of the attributes in the ChangeLog is transformed to the actual corresponding LDAP attribute. The outgoing changetype is set from the ChangeLog entry. If a ChangeLog entry contains a single change, the modifytype is set appropriately. In some cases, a ChangeLog contains multiple changes (called LDAP atomic changes). In this case it is not possible to set a single modifytype for the entry and the configuration option MergeChanges is read to determine behavior. If the MergeChanges option is set to TRUE, the output will be a single data file with attributes and values and only a changetype specified. If the MergeChanges option is set to FALSE, a single entry will be created for each unique modify operation found in the ChangeLog entry. When MergeChanges is set to FALSE, the entries in the data may be more than the MaxResults due to splitting (explained above).
Finally, the data is passed to the task. Similar to a traditional export process, only attributes specified in the export task are included. The export task is then completed.
When the export task starts again, it checks the LDAP host name and LDAP port of the directory server to ensure they are the same as the last run. If these values have changed, the new HostName and PortNum values are stored in the bookmark file and a new seed is retrieved using the technique explained above.
The connected system Admin must have permission to access the ChangeLog subtree DN; otherwise, the task execution will not be successful. Also, the task will not be successful when an invalid ChangeLog subtree DN (ExportBaseDN) is specified in the configuration.
When the data format ChangeLog is selected, the workflow can be deployed only as a Scheduled workflow. When the Scheduled workflow is redeployed, the bookmark file is not touched. Only undeploying resets the changeNumber bookmark.
Notes:
- changeNumber bookmarks are local to the workflow instance and are not shared with other workflows, so multiple ChangeLog export workflows can be configured against one ChangeLog database.
- If a previous change has to be reprocessed, either change the LastProcessedChangeLogNumber entry in the bookmark file, or delete this file and set the value for InitialChangeNumber in the Configure Plug-in. Then run the Scheduled workflow.