-
CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
COM/MYCOMPANY/MAINFRAME1/USER/USER1234
-
cn ←→ racfid
On the RACF system, racfid is the user ID.
Sample value:
USER1234
-
DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. Select the Force mapping against direction of synchronization check box.
Sample value:
racfid=USER1234,profiletype=user,cn=mainframe1,o=mycompany,c=com
-
ObjectClass ←→ objectClass
The objectClass attribute (multi-valued) on the RACF system. Select the Ignore case sensitivity check box.
Sample value:
TOP;RACFBASECOMMON;RACFUSER
-
StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the RACF system defines the single object class for the object type. Select the Ignore case sensitivity check box.
Sample value:
RACFUSER
-
UID_LDPDomain ← vrtIdentDomain
Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This causes a conflict, and the Property Mapping Rule Conflict Wizard opens automatically.
To resolve the conflict
-
In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
-
On the Select an element page, select Ident_Domain and click OK.
-
Confirm the security prompt with OK.
-
On the Edit property page:
-
Clear Save unresolvable keys.
-
Select Handle failure to resolve as error.
To close the Property Mapping Rule Conflict Wizard, click OK.
-
-
Select the Force mapping against direction of synchronization check box.
Sample value:
RACF_DOMAIN
-
-
vrtParentDN → vrtEntryParentDN
Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with the value $UserLocation$. Map this to vrtEntryParentDN on the RACF side.
Sample value:
profiletype=user,cn=mainframe1,o=mycompany,c=com
-
vrtRDN → vrtEntryRDN
Create a new variable on the One Identity Manager side of type Script Property with the name vrtRDN and a data type of String. In the Scripts section, enter one of the following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.
C# Script
references VI.TSUtils.dll;
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfid=");
VB Script
References VI.TSUtils.dll
Imports VI.TargetSystem.Base.Utils.LDAP
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
Else
name = $cn$
End If
return RDN.Create("cn",name).ToString().Replace("cn=","racfid=")
Then map this to vrtEntryRDN on the RACF side.
Sample value:
USER1234
-
userPassword → racfPassword
Used to change a user’s RACF password. A condition must be set on this rule to map the password only when there is a value to be copied.
To add a condition
-
Create the mapping.
-
Edit the property mapping rule.
-
Expand the Condition for execution section at the bottom of the dialog.
-
Click Add condition and set the following condition (a blank password is indicated by using two apostrophe characters).
Left.UserPassword<>''
-
-
UID_LDAPContainer ← vrLDAPContainerDN
This is a workaround needed to support group mappings. Create a new fixed value variable on the RACF side of type String with no value called vrtLDAPContainerDN with the value set to $UserLocation$. This generates a property mapping rule conflict.
To resolve the conflict
-
In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
-
On the Select an element page, select DistinguishedName and click OK.
-
Confirm the security prompt with OK.
-
On the Edit property page:
-
Clear Save unresolvable keys.
-
Select Handle failure to resolve as error.
-
Select Ignore case.
-
-
To close the Property Mapping Rule Conflict Wizard, click OK.
-
Initializing and configuring the LDAP connector for IBM RACF
Prerequisites
Platform support
Operating constraints
Pre-installation information
How to initialize and configure the RACF LDAP connector
System variables
Domain filter setting
User mapping information
Group mapping information
System filtering on users and groups
Data set profile mapping information
RACF user attributes
RACF group attributes
RACF data set profile attributes
Auxiliary classes
Mandatory RACF data set profile attributes
Property mapping rules
Object matching rules
Sample data set profile mapping
Run TSO command
Auxiliary classes
RACF groups and RACF universal groups
RACF pass phrase support
Property mapping rules
Object matching rules
-
DistinguishedName (primary rule) vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the RACF system.
To convert this mapping into an object matching rule
-
Select the property mapping rule in the rule window.
-
Click
in the rule view toolbar.
A message appears.
-
Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
-
Edit the object mapping rule and ensure that the Case sensitive check box is not selected.
Sample value:
racfid=USER1234,profiletype=user,cn=mainframe1,o=mycompany,c=com
-
Related topics
Sample user mapping
The following figure shows the user mapping in operation.
Group mapping information
This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup. The data set profile mapping used later also maps to LDAPGroup, so a filter must be applied in order to tell these apart.
-
When creating the group mapping, add a new schema class as follows.
Table 3: Schema class settings Property
Value
Schema type
LDAPGroup
Display name
LDAPGroup (RACFGroup)
Class name
LDAPGroup_racfgroup
Select objects: Condition
StructuralObjectClass='racfgroup'
Select objects: Ignore case
Activated
-
Select this new schema class, LDAPGroup (RACF Group), for this mapping to racfGroup(all) on the RACFside.
For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.