When creating a group in the Top Secret database, the following LDAP attributes must be defined:
-
objectclass
-
tssgroup
-
name
-
Department
-
User-Type
When creating a group in the Top Secret database, the following LDAP attributes must be defined:
objectclass
tssgroup
name
Department
User-Type
CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector. Select the Ignore case sensitivity check box.
Sample value:
COM/MYCOMPANY/TOPSECRET1/GROUPS/GROUP123
cn ←→ tssgroup
On the Top Secret system, tssgroup is the group ID. Select the Ignore case sensitivity check box.
Sample value:
GROUP123
DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector.
Sample value:
tssgroup=GROUP123,tssadmingrp=groups,host=topsecret1,o=mycompany,c=com
The objectClass attribute (multi-valued) on the Top Secret system. Select the Ignore case sensitivity check box.
Sample value:
TSSGROUP
StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the Top Secret system defines the single object class for the object type. Select the Ignore case sensitivity check box.
Sample value:
TSSGROUP
UID_LDPDomain ← vrtIdentDomain
Create a fixed-value property variable on the Top Secret side calledvrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This causes a conflict and the Property Mapping Rule Conflict Wizard opens automatically.
To resolve the conflict
In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
On the Select an element page, select Ident_Domain and click OK.
Confirm the security prompt with OK.
On the Edit property page,
Clear Save unresolvable keys.
Enable Handle failure to resolve as error.
To close the Property Mapping Rule Conflict Wizard, click OK.
Sample value:
TOPSECRET1
vrtParentDN → vrtEntryParentDN
Create a virtual attribute on the One Identity Manager side equal to a fixed string representing the parent DN for the object that is being manipulated. Select the Ignore case sensitivity check box.
Sample value:
tssadmingrp=groups,host=topsecret1,o=mycompany,c=com
vrtRDN → vrtEntryRDN
Create a new variable on the One Identity Manager side of type Script Property with the name vrtRDN and a data type of String. In the Scripts section, enter one of the following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.
C# Script:
references VI.TSUtils.dll;
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","tssgroup=");
VB Script:
References VI.TSUtils.dll
Imports VI.TargetSystem.Base.Utils.LDAP
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
Else
name = $cn$
End If
return RDN.Create("cn",name).ToString().Replace("cn=","tssgroup=")
Then map vrtRDN to vrtEntryRDN on the Top Secret side.
Sample value:
tssgroup=GROUP123
Description ←→ name
The name attribute contains a description for the group. Select the Ignore case sensitivity check box.
Sample value:
TEST GROUP
UID_LDAPContainer ← vrtEmpty
This is a workaround needed to support group mappings. Create a new fixed-value variable on the Top Secret side of type String with no value called vrtEmpty. This is mapped to UID_LDAPContainer. This generates a property mapping rule conflict.
To resolve the conflict
In the Property Mapping Rule Conflict Wizard, highlight Select this option if you do not want to change anything and click OK.
vrtMember ←→ uniqueMember
This mapping is used to synchronize group membership information.
Create a new virtual entry on the One Identity Manager side of type Members of M:N schema types with the name vrtMember. Select the Ignore case and Enable relative component handling check boxes.
Add the following M:N schema types:
Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupChild and the right box to UID_LDAPGroupParent. Set the Primary Key Property to DistinguishedName.
Create a new mapping rule of type Multi-reference mapping rule. Set the rule name to Member and the mapping direction to Both directions. Set the One Identity Manager schema property to vrtMember and the Top Secret schema property to uniqueMember.
vrtType → User-Type
Create a new fixed-value property on theOne Identity Manager side of type String with the value GROUP. Call the property vrtType. Map this to User-Type on the Top Secret side. Select the Ignore case sensitivity check box.
SeeAlso ←→ Department
The Department attribute defines the Top Secret department assigned to the group. A suitable string attribute on the One Identity Manager side to store this value is SeeAlso. Select the Ignore case sensitivity check box.
Sample value:
TSSDEPT1
DistinguishedName (primary rule) vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the Top Secret system.
To convert this mapping into an object matching rule
Select the property mapping rule in the rule window.
Click in the rule view toolbar.
A message appears.
Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
Sample value:
tssgroup=GROUP123,tssadmingrp=groups,host=topsecret1,o=mycompany,c=com
The members of a Top Secret group can be found in the group's uniqueMember attribute. This is a multi-valued attribute that contains a list of all group members (tssacids). The CA LDAP Server does not allow this attribute to be updated directly, but it can be updated via the connector. When the connector receives a request to update a group's uniqueMember attribute, it performs all necessary LDAP calls behind the scenes to synchronize group members.
When the connector receives a request to update a group’s uniqueMember attribute, it first performs an LDAP search to find out what the group's current uniqueMember attribute contains. It then compares the attribute with the supplied update and creates a list of users that need to be added or deleted in order to perform the synchronization.
For each user to be added, the connector sends an LDAP modify request for the user (tssacid) object to add the group via the user’s groups attribute. This adds the user to the group, and the CA LDAP Server then automatically updates the group's uniqueMember attribute to include the new user.
Similarly, for each user deleted, the connector sends an LDAP modify request for the user (tssacid) object to delete the group via the user’s groups attribute. This removes the user from the group and the CA LDAP Server then automatically updates the group's uniqueMember attribute to remove the user.
Once this is done, the uniqueMember attribute for the group will match the value that was passed into the connector, effectively synchronizing the two values. This approach is used in the sample group mapping in this document.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center