Chat now with support
Chat with Support

Identity Manager 8.0 - LDAP Connector for IBM AS/400 Reference Guide

Mandatory AS/400 Group Attributes

When creating a group in the AS/400 database, the following LDAP attributes must be defined:

  • objectclass
  • os400-profile
  • os400-groupmember (this is not mandatory but if omitted, a user profile will be created instead)
Related Topics

Property Mapping Rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    AS4001.MYCOMPANY.COM/ACCOUNTS/GROUP123

  • cn ←→ os400-profile

    On the AS/400 system, os400-profile is the group ID.

    Sample value:

    USERGRP

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector.

    Sample value:

    os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the AS/400 system. Activate the check box Ignore case sensitivity.

    Sample value:

    TOP;OS400-USRPRF

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the AS/400 system defines the single object class for the object type.

    Sample value:

    OS400-USRPRF

  • vrtParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with value $GroupLocation$. Map this to vrtEntryParentDN on the AS/400 side.

    Sample value:

    CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

  • vrtRDN → vrtEntryRDN

    Create a virtual attribute on the One Identity Manager side equal to the CN value. Then map this to vrtEntryRDN on the AS/400 side.

    Sample value:

    os400-profile=GROUP123

  • UID_LDAPContainer ← vrtEmpty

    This is a workaround needed to support group mappings. Create a new fixed value variable on the AS/400 side of type "String" with no value called vrtEmpty. Map this to UID_LDAPContainer. This generates a property mapping rule conflict.

    To solve the conflict

    • In the Property Mapping Rule Conflict Wizard, highlight Select this option if you do not want to change anything and click OK.
  • vrtMember ←→ os400-groupmember

    Synchronizing this attribute on the AS/400 will manage the group memberships for the user.

    1. Create a new virtual entry on the One Identity Manager side of type "Members of M:N schema types" with name vrtMember. Activate the boxes to Ignore case and Enable relative component handling
    2. Add an entry for LDAPAccountInLDAPGroup(all). Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
    3. Create a new mapping rule of type "Multi-reference mapping rule". Set the rule name to "Member" and the mapping direction to "Both directions". Set the One Identity Manager schema property to vrtMember and the AS/400 schema property to os400-groupmember.
  • UID_LDPDomain ← vrtIdentDomain

    Create a fixed value property variable on the AS/400 side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.

    To solve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
    2. On the Select an element... page, select Ident_Domain and click OK.
    3. Confirm the security prompt with OK.
    4. On the Edit property... page,
      1. Deactivate Save unresolvable keys.
      2. Activate Handle failure to resolve as error.
      3. To close the Property Mapping Rule Conflict Wizard, click OK.

    Sample value:

    AS400_001

Related Topics

Object Matching Rules

  • DistinguishedName (primary rule) vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the AS/400 system.

    To convert this mapping into an object matching rule

    1. Select the property mapping rule in the rule window.
    2. Click in the rule view toolbar.

      A message appears.

    3. Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.

    Sample value:

    os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

Related Topics

Sample Group Mapping

The following figure shows the above group mapping in operation.

Related Documents