Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

Updating Schemas

Updating Schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up loading the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compressing and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:
    • Changes to a target system schema
    • Customizations to the One Identity Manager schema
    • A One Identity Manager update migration
  • A schema in the synchronization project was shrunk by:
    • Activating the synchronization project
    • Synchronization projectClosed initial save
    • Compressing a schema

To update a system connection schema

  1. Open the synchronization project in the Synchronization EditorClosed.

  2. Select the category Configuration | Target system.

    - OR -

    Select the category

    Configuration | One Identity Manager connection.

  3. Select the view General and click Update schema.
  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. Open the synchronization project in the SynchronizationClosed Editor.

  2. Select the category Mappings.
  3. Select a mapping in the navigation view.

    Opens the MappingClosed Editor. For more detailed information about editing mappings, see One Identity Manager Target SystemClosed Synchronization Reference Guide.

 NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Speeding Up Synchronization with Revision Filtering

Speeding Up Synchronization with Revision Filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. SynchronizationClosed is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

LDAP supports revision filtering. RevisionClosed attributes defined when the synchronization project was set up, are used for the revision count. In the default version, the creation date and the date that LDAP objects were last modified is used. Every synchronization saves the last execution date in the One Identity Manager database. (table DPRRevisionStore, column value). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. The next time synchronization is run, only those objects that have been changed since this date are loaded. This avoids unnecessary updating of objects that have not changed since the last synchronization.

Determining the revision is done when synchronization starts. Objects changed after this point are included with the next synchronization.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • Open the synchronization project in the Synchronization EditorClosed.

  • Edit the workflow properties. Select the entry Use revision filter from Revision filtering.

To permit revision filtering for a start up configuration

  • Open the synchronization project in the Synchronization Editor.

  • Edit the start up configuration properties. Select the entry Use revision filter from Revision filtering.

NOTE: Specify whether revision filtering will be applied when you first set up initial synchronization in the project wizard.

For more detailed information about revision filtering, see the One Identity Manager Target SystemClosed Synchronization Reference Guide.

Post-Processing Outstanding Objects

Post-Processing Outstanding Objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Objects marked as outstanding:

  • Cannot be edited in One Identity Manager.
  • Are ignored by subsequent synchronization.
  • Must be post-processed separately in One Identity Manager.

Start target system synchronization to do this.

To post-process outstanding objects

  1. Select the category LDAP | Target system synchronization: LDAP.

    All tables assigned to the target system type LDAP as synchronization tables are displayed in the navigation view.

  1. Select the table whose outstanding objects you want to edit in the navigation view.

    This opens the target system synchronization form. All objects are shown here that are marked as outstanding.

    TIP:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.
    2. Open the context menu and click Show object.
  1. Select the objects you want to rework. Multi-select is possible.
  2. Click one of the following icons in the form toolbar to execute the respective method.
    Table 15: Methods for handling outstanding objects

    Icon

    Method

    Description

    Delete

    The object is immediately deleted in the One Identity Manager. Deferred deletion is not taken into account. The "outstanding" label is removed from the object.

    Indirect memberships cannot be deleted.

    Publish

    The object is added in the target system. The "outstanding" label is removed from the object.

    The method triggers the event "HandleOutstanding". This runs a target system specific process that triggers the provisioning process for the object.

    Prerequisites:

    • The table containing the object can be published.
    • The target system connector has write access to the target system.

    Reset

    The "outstanding" label is removed from the object.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up execution of the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Deactivate in the form toolbar.

You must customize synchronization to synchronize custom tables.

To add custom tables to the target system synchronization.

  1. Select the category LDAP | Basic configuration data | Target system types.
  2. Select the target system type LDAP in the result list.
  3. Select Assign synchronization tables in the task view.
  4. Assign custom tables whose outstanding objects you want to handle in Add assignments.
  5. Save the changes.
  6. Select Configure tables for publishing.
  7. Select custom tables whose outstanding objects can be published in the target system and set the option Publishable.
  8. Save the changes.

NOTE: The target system connector must have write access to the target system in order to publish outstanding objects that are being post-processed. That means, the option Connection is read only must no be set for the target system connection.

Configuring Memberships Provisioning

Configuring Memberships Provisioning

Memberships, for example, user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved in the target system as an object property in list form (Example: List of user accounts in the property Member of an LDAP GroupOfNames).
  • Memberships can be modified in either of the connected systems.
  • A provisioning workflow and provisioning processes are set up.

If a membership in One Identity Manager changes, the complete list of members is transferred to the target system by default. Memberships, previously added to the target system are removed by this; previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

  1. Start the Manager.
  2. Select the category LDAP | Basic configuration data | Target system types.
  3. Select Configure tables for publishing.
  4. Select the assignment tables for which you want to allow separate provisioning. Multi-select is possible.
    • The option can only be set for assignment tables whose base table has a column XDateSubItem.
    • Assignment tables, which are grouped together in a virtual schema property in the mapping, must be labeled identically (beispielsweise LDAPAccountInLDAPGroup, LDAPGroupInLDAPGroup and LDAPMachineInLDAPGroup).
  5. Click Enable merging.
  6. Save the changes.

For each assignment table labeled like this, the changes made in the One Identity Manager are saved in a separate table. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and the members list does not get entirely overwritten.

 NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

For more detailed information about provisioning memberships, see the One Identity Manager Target SystemClosed SynchronizationClosed Reference Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating