When creating a group in the RACF database, the following LDAP attributes must be defined:
-
objectclass
-
racfid
When creating a group in the RACF database, the following LDAP attributes must be defined:
objectclass
racfid
CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
COM/MYCOMPANY/MAINFRAME1/GROUP/USERGRP
cn ←→ racfid
On the RACF system, racfid is the group ID.
Sample value:
USERGRP
DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. Select the Force mapping against direction of synchronization check box.
Sample value:
racfid=USERGRP,profiletype=group,cn=mainframe1,o=mycompany,c=com
ObjectClass ←→ objectClass
The objectClass attribute (multi-valued) on the RACF system. Select the Ignore case sensitivity check box.
Sample value:
TOP;RACFBASECOMMON;RACFGROUP
StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the RACF system defines the single object class for the object type.
Sample value:
RACFGROUP
UID_LDPDomain ← vrtIdentDomain
Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.
To resolve the conflict
In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
On the Select an element page, select Ident_Domain and click OK.
Confirm the security prompt with OK.
On the Edit property page:
Clear Save unresolvable keys.
Select Handle failure to resolve as error.
To close the Property Mapping Rule Conflict Wizard, click OK.
Select the Force mapping against direction of synchronization check box.
Sample value:
RACF_DOMAIN
vrtParentDN → vrtEntryParentDN
Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with value $GroupLocation$. Map this to vrtEntryParentDN on the RACF side. Select the Ignore case sensitivity check box.
Sample value:
profiletype=group,cn=mainframe1,o=mycompany,c=com
vrtRDN → vrtEntryRDN
Create a new variable on the One Identity Manager side of type Script Property with the name vrtRDN and a data type of String. In the Scripts section, enter one of the following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.
C# Script
references VI.TSUtils.dll;
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfid=");
VB Script
References VI.TSUtils.dll
Imports VI.TargetSystem.Base.Utils.LDAP
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
Else
name = $cn$
End If
return RDN.Create("cn",name).ToString().Replace("cn=","racfid=")
Then map this to vrtEntryRDN on the RACF side.
Sample value:
USERGRP
UID_LDAPContainer ← vrLDAPContainerDN
This is a workaround needed to support group mappings. Create a new fixed value variable on the RACF side of type String with no value called vrtLDAPContainerDN with the value set to $GroupLocation$. This generates a property mapping rule conflict.
To resolve the conflict
In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
On the Select an element page, select DistinguishedName and click OK.
Confirm the security prompt with OK.
On the Edit property page:
Clear Save unresolvable keys.
Select Handle failure to resolve as error.
Select Ignore case.
To close the Property Mapping Rule Conflict Wizard, click OK.
vrtMember ←→ racfGroupUserids
This mapping is used to synchronize group membership information.
Create a new virtual entry on the One Identity Manager side of type Members of M:N schema types with the name vrtMember. Select the Ignore case and Enable relative component handling check boxes.
Add the following M:N schema types:
Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupParent and the right box to UID_LDAPGroupChild. Set the Primary Key Property to DistinguishedName.
Create a new mapping rule of type Multi-reference mapping rule. Set the rule name to Member and the mapping direction to Both directions. Set the One Identity Manager schema property to vrtMember and the RACF schema property to racfGroupUserids.
DistinguishedName (primary rule) vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual group objects on the RACF system.
To convert this mapping into an object matching rule
Select the property mapping rule in the rule window.
Click in the rule view toolbar.
A message appears.
Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
Edit the object matching rule and select the Case sensitive check box.
Sample value:
racfid=USERGRP,profiletype=group,cn=mainframe1,o=mycompany,c=com
The following figure shows the group mapping in operation.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center