Mandatory Top Secret Group Attributes
When creating a group in the Top Secret database, the following LDAP attributes must be defined:
- objectclass
- tssgroup
- name
- Department
- User-Type
Related Topics
Property Mapping Rules
- CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
COM/MYCOMPANY/TOPSECRET1/GROUPS/GROUP123
- cn ←→ tssgroup
On the Top Secret system, tssgroup is the group ID.
Sample value:
GROUP123
- DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector.
Sample value:
tssgroup=GROUP123,tssadmingrp=groups,host=topsecret1,o=mycompany,c=com
- ObjectClass ←→ objectClass
The objectClass attribute (multi-valued) on the Top Secret system. Activate the check box Ignore case sensitivity.
Sample value:
TSSGROUP
- StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the Top Secret system defines the single object class for the object type.
Sample value:
TSSGROUP
- UID_LDPDomain ← vrtIdentDomain
Create a fixed value property variable on the Top Secret side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.
To solve the conflict
- In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
- On the Select an element... page, select Ident_Domain and click OK.
- Confirm the security prompt with OK.
- On the Edit property... page,
- Deactivate Save unresolvable keys.
- Activate Handle failure to resolve as error.
- To close the Property Mapping Rule Conflict Wizard, click OK.
Sample value:
TOPSECRET1
- vrtParentDN → vrtEntryParentDN
Create a virtual attribute on the One Identity Manager side equal to a fixed string representing the parent DN for the object that is being manipulated.
Sample value:
tssadmingrp=groups,host=topsecret1,o=mycompany,c=com
- vrtRDN → vrtEntryRDN
Create a new variable on the One Identity Manager side of type "Format Defined Property" with name vrtRDN. Set its value to %CN%. Then map this to vrtEntryRDN on the Top Secret side.
Sample value:
GROUP123
- vrtName → name
Create a new variable on the One Identity Manager side of type "Format Defined Property" with name vrtName. Set its value to name=%CN%. Then map this to name on the Top Secret side.
Sample value:
name=GROUP123
- UID_LDAPContainer ← vrtEmpty
This is a workaround needed to support group mappings. Create a new fixed value variable on the Top Secret side of type "String" with no value called vrtEmpty. This is mapped to UID_LDAPContainer. This generates a property mapping rule conflict.
To solve the conflict
- In the Property Mapping Rule Conflict Wizard, highlight Select this option if you do not want to change anything and click OK.
- vrtMember ←→ memberOf
This mapping is used to synchronize group membership information.
- Create a new virtual entry on the One Identity Manager side of type “Members of M:N schema types” with name vrtMember. Activate the boxes to Ignore case and Enable relative component handling.
- Add the following M:N schema types:
- Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
- Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupChild and the right box to UID_LDAPGroupParent. Set the Primary Key Property to DistinguishedName.
- Create a new mapping rule of type "Multi-reference mapping rule". Set the rule name to "Member" and the mapping direction to "Both directions". Set the One Identity Manager schema property to vrtMember and the Top Secret schema property to memberOf.
- vrtType → User-Type
Create a new fixed value property on the One Identity Manager side of type "String" with the value GROUP. Call the property vrtType. Map this to User-Type on the Top Secret side.
- vrtDept → Department
Create a new fixed value property on the One Identity Manager side of type "String" with the name of your department. Call the property vrtDept. Map this to Department on the Top Secret side.
Related Topics
Object Matching Rules
- DistinguishedName (primary rule) vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the Top Secret system.
To convert this mapping into an object matching rule
- Select the property mapping rule in the rule window.
- Click
in the rule view toolbar.
A message appears.
- Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
Sample value:
tssgroup=GROUP123,tssadmingrp=groups,host=topsecret1,o=mycompany,c=com
Related Topics
Synchronizing Top Secret Group Members
The members of a Top Secret group can be found in the group attribute called memberOf. This is a multi-valued attribute that contains a list of all the group’s members (tssacids). The CA LDAP Server does not allow this attribute to be updated directly, but it can be updated via the connector. When the connector receives a request to update a group’s memberOf attribute, it performs all the necessary LDAP calls behind the scenes to perform the synchronization of the group members.
How the Connector Performs Group Member Synchronization
When the connector receives a request to update a group’s memberOf attribute, it first performs an LDAP search to find out what the group’s current memberOf attribute contains. It then compares this with the supplied update and creates a list of users that need to be added and / or deleted in order to perform the synchronization.
For each user to be added, the connector creates an LDAP object of type tssacidlist for the group that contains the new user’s name. This adds the user to the group and the CA LDAP Server then automatically updates the group’s memberOf attribute to include the new user.
Similarly, for each user to be deleted, the connector removes the LDAP object of type tssacidlist for the group associated with the user to be deleted. This removes the user from the group and the CA LDAP Server then automatically updates the group’s memberOf attribute to remove the user.
Once all this has been done, the memberOf attribute for the group will then match the value that was passed in to the connector, effectively synchronizing the two values. This approach has been used in the sample group mapping that appears in this document.