Chat now with support
Chat with Support

Identity Manager 8.0 - LDAP Connector for IBM RACF Reference Guide

Mandatory RACF Group Attributes

When creating a group in the RACF database, the following LDAP attributes must be defined:

  • objectclass
  • racfid
Related Topics

Property Mapping Rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    COM/MYCOMPANY/MAINFRAME1/GROUP/USERGRP

  • cn ←→ racfid

    On the RACF system, racfid is the group ID.

    Sample value:

    USERGRP

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. Activate the check box Force mapping against direction of synchronization.

    Sample value:

    racfid=USERGRP,profiletype=group,cn=mainframe1,o=mycompany,c=com

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the RACF system. Activate the check box Ignore case sensitivity.

    Sample value:

    TOP;RACFBASECOMMON;RACFGROUP

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the RACF system defines the single object class for the object type.

    Sample value:

    RACFGROUP

  • UID_LDPDomain ← vrtIdentDomain

    Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.

    To solve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
    2. On the Select an element... page, select Ident_Domain and click OK.
    3. Confirm the security prompt with OK.
    4. On the Edit property... page,
      1. Deactivate Save unresolvable keys.
      2. Activate Handle failure to resolve as error.
      3. To close the Property Mapping Rule Conflict Wizard, click OK.
    5. Activate the check box Force mapping against direction of synchronization.

    Sample value:

    RACF_DOMAIN

  • vrtParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with value $GroupLocation$. Map this to vrtEntryParentDN on the RACF side. Activate the check box Ignore case sensitivity.

    Sample value:

    profiletype=group,cn=mainframe1,o=mycompany,c=com

  • vrtRDN → vrtEntryRDN

    Create a new variable on the One Identity Manager side of type "Script Property" with name vrtRDN and a data type of "string". In the Scripts section, enter one of the he following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.

    C# Script

    references VI.TSUtils.dll;

    return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfid=");

    VB Script

    References VI.TSUtils.dll

    Imports VI.TargetSystem.Base.Utils.LDAP

    Dim name as String = ""

    If useOldValues Then

    name = $cn[o]$

    Else

    name = $cn$

    End If

    return RDN.Create("cn",name).ToString().Replace("cn=","racfid=")

    Then map this to vrtEntryRDN on the RACF side.

    Sample value:

    USERGRP

  • UID_LDAPContainer ← vrLDAPContainerDN

    This is a workaround needed to support group mappings. Create a new fixed value variable on the RACF side of type "String" with no value called vrtLDAPContainerDN with the value set to $GroupLocation$. This generates a property mapping rule conflict.

    To solve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
    2. On the Select an element... page, select DistinguishedName and click OK.
    3. Confirm the security prompt with OK.
    4. On the Edit property... page,
      1. Deactivate Save unresolvable keys.
      2. Activate Handle failure to resolve as error.
      3. Active Ignore case.
      4. To close the Property Mapping Rule Conflict Wizard, click OK.
  • vrtMember ←→ racfGroupUserids

    This mapping is used to synchronize group membership information.

    1. Create a new virtual entry on the One Identity Manager side of type "Members of M:N schema types" with name vrtMember. Activate the boxes to Ignore case and Enable relative component handling
    2. Add the following M:N schema types:
      1. Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
      2. Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupParent and the right box to UID_LDAPGroupChild. Set the Primary Key Property to DistinguishedName.
    3. Create a new mapping rule of type "Multi-reference mapping rule". Set the rule name to "Member" and the mapping direction to "Both directions". Set the One Identity Manager schema property to vrtMember and the RACF schema property to racfGroupUserids.
Related Topics

Object Matching Rules

  • DistinguishedName (primary rule) vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual group objects on the RACF system.

    To convert this mapping into an object matching rule

    1. Select the property mapping rule in the rule window.
    2. Click in the rule view toolbar.

      A message appears.

    3. Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
    4. Edit the object mapping rule and activate the Case sensitive check box.

    Sample value:

    racfid=USERGRP,profiletype=group,cn=mainframe1,o=mycompany,c=com

Related Topics

Sample Group Mapping

The following figure shows the above group mapping in operation.

Related Documents