The IBM Tivoli Directory Server does not support standard LDAP filtering but a limited level of functionality is supported. The only attribute that can be filtered is racfid which can apply to both user and group names. This means that it is possible to filter on the names of both users and groups.
This is done by applying a system filter to either the racfuser or racfgroup objects of the form (racfid=<variable>*) where <variable> applies to a common prefix.
For example, to import only the users that start with "ABC" the following system filter should be applied to the racfuser object:
(racfid=ABC*)
To import only the groups beginning with "#1" the following system filter should be applied to the racfgroup object:
(racfid=#1*)
This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup (a group is the closest equivalent in One Identity Manager to a data set profile). A mapping for RACF group already exists, so a filter needs to be applied in order to tell these apart.
Property |
Value |
---|---|
Schema type | LDAPGroup |
Display name | LDAPGroup (Data set profile) |
Class name | LDAPGroup_datasetprofile |
Select objects: Condition | StructuralObjectClass='RACFDATASET' |
Select objects: Ignore case | Activated |
For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.
When creating a data set profile in the RACF database, the following LDAP attributes must be defined:
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
COM/MYCOMPANY/MAINFRAME1/DATASET/ABCDB.*.**
On the RACF system, this refers to the dataset profile ID.
Sample value:
ABCDB.*.**
vrtEntryDN is a virtual property, set to the DN of the object in the connector.
Sample value:
racfdataset=ABCDB.*.**,profiletype=dataset,cn=mainframe1,o=mycompany,c=com
The objectClass attribute (multi-valued) on the RACF system. Activate the check box Ignore case sensitivity.
Sample value:
TOP;RACFBASECOMMON;RACFDATASET
vrtStructuralObjectClass on the RACF system defines the single object class for the object type.
Sample value:
RACFDATASET
Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to VRT_UID_LDPDomain, the attribute created by One Identity Manager when this step was performed for a group mapping above.
Sample value:
RACF_DOMAIN
Create a fixed value property variable on the One Identity Manager side called vrtDatasetParentDN equal to a fixed string with value $DatasetLocation$. Map this to vrtEntryParentDN on the RACF side.
Sample value:
profiletype=dataset,cn=mainframe1,o=mycompany,c=com
Create a new variable on the One Identity Manager side of type "Script Property" with name vrtDatasetRDN and a data type of "string". In the Scripts section, enter one of the he following scripts in the "Read script" section, depending on whether your project is configured for C# or Visual Basic.
C# Script
references VI.TSUtils.dll;
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfDataset=");
VB Script
References VI.TSUtils.dll
Imports VI.TargetSystem.Base.Utils.LDAP
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
Else
name = $cn$
End If
return RDN.Create("cn",name).ToString().Replace("cn=","racfDataset=")
Then map this to vrtEntryRDN on the RACF side.
Sample value:
ABCDB.*.**
This is a multi-valued string that contains the RACF user IDs and the rights they have been granted for a particular data set profile. Changes to this list on the RACF side can be performed by synchronizing the necessary changes from the One Identity Manager side. BusinessCategory was chosen for the mapping as it was a pre-existing multi-valued string.
Sample value:
USER001(READ); USER002(ALTER); USER003(READ)
vrtDatasetMember ←→ racfPermitId
This mapping is used to synchronize data set membership information.
Add the following M:N schema types:
Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupParent and the right box to UID_LDAPGroupChild. Set the Primary Key Property to DistinguishedName.
Create a new mapping rule of type "Multi-reference mapping rule". Set the rule name to "Member" and the mapping direction to "Both directions". Set the One Identity Manager schema property to vrtDatasetMember and the RACF schema property to racfPermitId.
|
NOTE: When this membership mapping has been set up at the same time as that for groups (vrtMember <-> racfGroupUserids in the group mapping) the data set synchronization will populate both the vrtDatasetMember and vrtMember attributes with the same values. The values stored in vrtMember can be ignored. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy