vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
On the RACF system, racfid is the user ID.
vrtEntryDN is a virtual property, set to the DN of the object in the connector. Activate the check box Force mapping against direction of synchronization.
The objectClass attribute (multi-valued) on the RACF system. Activate the check box Ignore case sensitivity.
vrtStructuralObjectClass on the RACF system defines the single object class for the object type. Activate the check box Ignore case sensitivity.
Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.
To solve the conflict
Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with value $UserLocation$. Map this to vrtEntryParentDN on the RACF side.
Create a new variable on the One Identity Manager side of type "Script Property" with name vrtRDN and a data type of "string". In the Scripts section, enter one of the he following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfid=");
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
name = $cn$
Then map this to vrtEntryRDN on the RACF side.
Used to change a user’s RACF password. A condition needs to be set on this rule to map the password only when there is a value to be copied.
To add a condition
This is a workaround needed to support group mappings. Create a new fixed value variable on the RACF side of type "String" with no value called vrtLDAPContainerDN with the value set to $UserLocation$. This generates a property mapping rule conflict.
To solve the conflict
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the RACF system.
To convert this mapping into an object matching rule
A message appears.
Edit the object mapping rule and ensure that the Case sensitive check box is not activated.
The following figure shows the above user mapping in operation.
This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup. The data set profile mapping used later also maps to LDAPGroup so a filter needs to be applied in order to tell these apart.
|Display name||LDAPGroup (RACF Group)|
|Select objects: Condition||StructuralObjectClass='racfgroup'|
|Select objects: Ignore case||Activated|
For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.