Chat now with support
Chat with Support

Identity Manager 8.0 - LDAP Connector for CA Top Secret Reference Guide

Mandatory Top Secret User Attributes

When creating a user in the Top Secret database, the following LDAP attributes must be defined:

  • objectclass
  • tssacid
  • name
  • Department
  • userPassword
Related Topics

Property Mapping Rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    COM/MYCOMPANY/TOPSECRET1/ACIDS/USER1234

  • cn ←→ tssacid

    On the Top Secret system, tssacid is the user ID.

    Sample value:

    USER1234

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. Once this mapping rule has been created, edit the mapping rule by clicking on it. Then check the box marked Force mapping against direction of synchronization.

    Sample value:

    tssacid=USER1234,tssadmingrp=acids,host=topsecret1,o=mycompany,c=com

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the Top Secret system. Activate the check box Ignore case sensitivity.

    Sample value:

    TSSACID

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the Top Secret system defines the single object class for the object type.

    Sample value:

    TSSACID

  • UID_LDPDomain ← vrtIdentDomain

    Create a fixed value property variable on the Top Secret side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.

    To solve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
    2. On the Select an element... page, select Ident_Domain and click OK.
    3. Confirm the security prompt with OK.
    4. On the Edit property... page,
      1. Deactivate Save unresolvable keys.
      2. Activate Handle failure to resolve as error.
      3. To close the Property Mapping Rule Conflict Wizard, click OK.

    Sample value:

    TOPSECRET1

  • vrtParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with value $UserLocation$. Map this to vrtEntryParentDN on the Top Secret side.

    Sample value:

    tssadmingrp=acids,host=topsecret1,o=mycompany,c=com

  • vrtDep → Department

    Create a new fixed value property on the One Identity Manager side of type "String" with the name of your department. Call the property vrtDept. Map this to Department on the Top Secret side.

  • vrtName → name

    Create a new variable on the One Identity Manager side of type "Format Defined Property" with name vrtName. Set its value to name=%CN%. Then map this to name on the Top Secret side.

    Sample value:

    name=USER123

  • vrtRDN → vrtEntryRDN

    Create a new variable on the One Identity Manager side of type "Format Defined Property" with name vrtRDN. Set its value to %CN%. Then map this to vrtEntryRDN on the Top Secret side.

    Sample value:

    USER123

  • userPassword → userPassword

    Used to change a user’s password in Top Secret. A condition needs to be set on this rule to map the password only when there is a value to be copied.

    To add a condition

    1. Create the mapping.
    2. Edit the property mapping rule.
    3. Expand the Condition for execution section at the bottom of the dialog.
    4. Click on Add condition and set the following condition (a blank password is indicated by using two apostrophe characters).

      Left.UserPassword<>''

  • UID_LDAPContainer ← vrtEmpty

    This is a workaround needed to support group mappings. Create a new fixed value variable on the TopSecret side of type "String" with no value called vrtEmpty. Map this to UID_LDAPContainer. This generates a property mapping rule conflict.

    To solve the conflict

    • In the Property Mapping Rule Conflict Wizard, highlight Select this option if you do not want to change anything and click OK.
Related Topics

Object Matching Rules

  • DistinguishedName (primary rule) vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the Top Secret system.

    To convert this mapping into an object matching rule

    1. Select the property mapping rule in the rule window.
    2. Click in the rule view toolbar.

      A message appears.

    3. Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule. Do not mark this rule as case sensitive (leave the check box unchecked).

    Sample value:

    tssacid=USER1234,tssadmingrp=acids,host=topsecret1,o=mycompany,c=com

Related Topics

Group Mapping Information

This section shows a possible mapping between a user account in Top Secret and the standard One Identity Manager database table called LDAPGroup.

  • Set up a new mapping from LDAPGroup(all) to tssgroup(all).

For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
Related Documents