Chat now with support
Chat with Support

Identity Manager 9.2.1 - LDAP Connector for IBM i Reference Guide

Mandatory IBM i group attributes

When creating a group in the IBM i database, the following LDAP attributes must be defined:

  • objectclass

  • os400-profile

  • os400-groupmember (this is not mandatory but if omitted, a user profile will be created instead)

Related topics

Property mapping rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    AS4001.MYCOMPANY.COM/ACCOUNTS/GROUP123

  • cn ←→ os400-profile

    On the IBM i system, os400-profile is the group ID.

    Sample value:

    USERGRP

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector.

    Sample value:

    os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the IBM i system. Select the Ignore case sensitivity check box.

    Sample value:

    TOP;OS400-USRPRF

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the IBM i system defines the single object class for the object type.

    Sample value:

    OS400-USRPRF

  • vrtParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with the value $GroupLocation$. Map this to vrtEntryParentDN on the IBM i side.

    Sample value:

    CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

  • vrtRDN → vrtEntryRDN

    Create a virtual attribute on the One Identity Manager side equal to the CN value. Then map this to vrtEntryRDN on the IBM i side.

    Sample value:

    os400-profile=GROUP123

  • UID_LDAPContainer ← vrtEmpty

    This is a workaround needed to support group mappings. Create a new fixed value variable on the IBM i side of type String with no value called vrtEmpty. Map this to UID_LDAPContainer. This generates a property mapping rule conflict.

    To resolve the conflict

    • In the Property Mapping Rule Conflict Wizard, highlight Select this option if you do not want to change anything and click OK.

  • vrtMember ←→ os400-groupmember

    Synchronizing this attribute on the IBM i will manage the group memberships for the user.

    1. Create a new virtual entry on the One Identity Manager side of type Members of M:N schema types with the name vrtMember. Select the Ignore case and Enable relative component handling check boxes. 

    2. Add an entry for LDAPAccountInLDAPGroup(all). Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.

    3. Create a new mapping rule of type Multi-reference mapping rule. Set the rule name to Member and the mapping direction to Both directions. Set the One Identity Manager schema property to vrtMember and the IBM i schema property to os400-groupmember.

  • UID_LDPDomain ← vrtIdentDomain

    Create a fixed-value property variable on the IBM i side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.

    To resolve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.

    2. On the Select an element page, select Ident_Domain and click OK.

    3. Confirm the security prompt with OK.

    4. On the Edit property page:

      1. Clear Save unresolvable keys.

      2. Select Handle failure to resolve as error.

    5. To close the Property Mapping Rule Conflict Wizard, click OK.

    Sample value:

    AS400_001

Related topics

Object matching rules

  • DistinguishedName (primary rule) vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the IBM i system.

    To convert this mapping into an object matching rule

    1. Select the property mapping rule in the rule window.

    2. Click in the rule view toolbar.

      A message appears.

    3. Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.

    Sample value:

    os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

Related topics

Sample group mapping

The following figure shows the group mapping in operation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating