Chat now with support
Chat with Support

Active Roles 7.4.3 - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported out of the box
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft Office 365 Working with Microsoft Azure Active Directory
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Creating an IBM AS/400 connection

To create a new connection

  1. In the Synchronization Service Administration Console, open the Connections tab.

  2. Click Add connection, and then use the following options:

    • Connection name. Type a descriptive name for the connection.

    • Use the specified connector. Select IBM AS/400 Connector.

  3. Click Next.

  4. On the Specify connection settings page, use the following options:

    • Server. Type or select the fully qualified DNS name of the IBM AS/400 server running the LDAP service.
    • Port. Type the IBM AS/400 LDAP communication port number in use by the service.
    • User name. Specify the fully distinguished name (DN) of the account under which the application will access the IBM AS/400 LDAP directory service.
    • Password. specify the password of the user account under which the application will access the IBM AS/400 LDAP directory service. We recommend that you select the SSL check box if synchronizing sensitive data between connectors.
    • Test Connection. Click this button to verify the specified connection settings.

  5. Click Next.

  6. Click Finish to create a connection to the IBM AS/400 system.

Modifying an existing IBM AS/400 connection

To modify connection settings

  1. In the Synchronization Service Administration Console, open the Connections tab.

  2. Click Connection Settings below the existing IBM AS/400 connection you want to modify.

  3. On the Connection Settings tab, click the Specify connection settings item to expand it and use the following options and use the options they provide:

    • Server. Type or select the fully qualified DNS name of the IBM AS/400 server running the LDAP service.
    • Port. Type the IBM AS/400 LDAP communication port number in use by the service.
    • User name. Specify the fully distinguished name (DN) of the account under which the application will access the IBM AS/400 LDAP directory service.
    • Password. specify the password of the user account under which the application will access the IBM AS/400 LDAP directory service. We recommend that you select the SSL check box if synchronizing sensitive data between connectors.
    • Test Connection. Click this button to verify the specified connection settings.

  1. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the connection settings:

  • Server. Type or select the fully qualified DNS name of the IBM AS/400 server running the LDAP service. You can click Refresh to get a list of available servers.
  • Port. Type the IBM AS/400 LDAP communication port number in use by the service.
  • User name. Specify the fully distinguished name (DN) of the account under which the application will access the IBM AS/400 LDAP directory service.
  • Password. specify the password of the user account under which the application will access the IBM AS/400 LDAP directory service. We recommend that you select the SSL check box if synchronizing sensitive data between connectors.
  • Test Connection. Click this button to verify the specified connection settings.

Additional considerations

This topic briefs about the additional points to consider when configuring the IBM AS/400 connector.

Using groups with IBM AS/400

The IBM AS/400 operating system does not have any concept of groups as discrete entities. Instead, an administrator creates a user profile which is used as a group profile. Other user profiles are then linked to this using the GrpPrf or SupGrpPrf parameters of the ChgUsrPrf command. The GrpPrf value maps to the os400-grpprf attribute in the IBM AS/400 schema, while the SupGrpPrf value maps to the os400-supgrpprf attribute. The IBM AS/400 Quick Connect mappings must be defined for users and groups to enable full user and group synchronization.

 

Optional IBM AS/400 account unlock during password reset function

You can optionally unlock a user's IBM AS/400 account at the same time as performing a password reset. This functionality is switched off by default and can be enabled by editing the connector's configuration file as follows:

Edit the file:

<Program Files folder>\One Identity\Active Roles\7.4\SyncService\AS400Connector_ConnectorConfig.xml

and add the following lines just before the </ConnectorInfo> which appears on the last line of the file:

<SelfConfig>

<EnableAccount>true</EnableAccount>

</SelfConfig>

Only the value true will enable the new functionality.

The LDAP password request sent to IBM AS/400 will then also include a request to modify the account status (os400-status=*ENABLED)).

The configuration file is read every time an LDAP connection is made to the IBM AS/400, so the new value will be picked up for the next set of synchronizations.

NOTE: If you edited ConnectorConfig.xml to implement the optional unlock of a user's IBM AS/400 account at the same time as performing a password reset in an earlier version of the connector for IBM AS/400, then you will need to repeat that edit after installing a later version.

Related Documents