When creating a group in the AS/400 database, the following LDAP attributes must be defined:
-
objectclass
-
os400-profile
-
os400-groupmember (this is not mandatory but if omitted, a user profile will be created instead)
When creating a group in the AS/400 database, the following LDAP attributes must be defined:
objectclass
os400-profile
os400-groupmember (this is not mandatory but if omitted, a user profile will be created instead)
CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
AS4001.MYCOMPANY.COM/ACCOUNTS/GROUP123
cn ←→ os400-profile
On the AS/400 system, os400-profile is the group ID.
Sample value:
USERGRP
DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector.
Sample value:
os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM
ObjectClass ←→ objectClass
The objectClass attribute (multi-valued) on the AS/400 system. Select the Ignore case sensitivity check box.
Sample value:
TOP;OS400-USRPRF
StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the AS/400 system defines the single object class for the object type.
Sample value:
OS400-USRPRF
vrtParentDN → vrtEntryParentDN
Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with the value $GroupLocation$. Map this to vrtEntryParentDN on the AS/400 side.
Sample value:
CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM
vrtRDN → vrtEntryRDN
Create a virtual attribute on the One Identity Manager side equal to the CN value. Then map this to vrtEntryRDN on the AS/400 side.
Sample value:
os400-profile=GROUP123
UID_LDAPContainer ← vrtEmpty
This is a workaround needed to support group mappings. Create a new fixed value variable on the AS/400 side of type String with no value called vrtEmpty. Map this to UID_LDAPContainer. This generates a property mapping rule conflict.
To resolve the conflict
In the Property Mapping Rule Conflict Wizard, highlight Select this option if you do not want to change anything and click OK.
vrtMember ←→ os400-groupmember
Synchronizing this attribute on the AS/400 will manage the group memberships for the user.
Create a new virtual entry on the One Identity Manager side of type Members of M:N schema types with the name vrtMember. Select the Ignore case and Enable relative component handling check boxes.
Add an entry for LDAPAccountInLDAPGroup(all). Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
Create a new mapping rule of type Multi-reference mapping rule. Set the rule name to Member and the mapping direction to Both directions. Set the One Identity Manager schema property to vrtMember and the AS/400 schema property to os400-groupmember.
UID_LDPDomain ← vrtIdentDomain
Create a fixed-value property variable on the AS/400 side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.
To resolve the conflict
In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
On the Select an element page, select Ident_Domain and click OK.
Confirm the security prompt with OK.
On the Edit property page:
Clear Save unresolvable keys.
Select Handle failure to resolve as error.
To close the Property Mapping Rule Conflict Wizard, click OK.
Sample value:
AS400_001
DistinguishedName (primary rule) vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the AS/400 system.
To convert this mapping into an object matching rule
Select the property mapping rule in the rule window.
Click in the rule view toolbar.
A message appears.
Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
Sample value:
os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM
The following figure shows the group mapping in operation.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center