Chat now with support
Chat with Support

Identity Manager 9.2 - LDAP Connector for IBM RACF Reference Guide

Property mapping rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    COM/MYCOMPANY/MAINFRAME1/USER/USER1234

  • cn ←→ racfid

    On the RACF system, racfid is the user ID.

    Sample value:

    USER1234

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. Select the Force mapping against direction of synchronization check box.

    Sample value:

    racfid=USER1234,profiletype=user,cn=mainframe1,o=mycompany,c=com

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the RACF system. Select the Ignore case sensitivity check box.

    Sample value:

    TOP;RACFBASECOMMON;RACFUSER

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the RACF system defines the single object class for the object type. Select the Ignore case sensitivity check box.

    Sample value:

    RACFUSER

  • UID_LDPDomain ← vrtIdentDomain

    Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This causes a conflict, and the Property Mapping Rule Conflict Wizard opens automatically.

    To resolve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.

    2. On the Select an element page, select Ident_Domain and click OK.

    3. Confirm the security prompt with OK.

    4. On the Edit property page:

      1. Clear Save unresolvable keys.

      2. Select Handle failure to resolve as error.

      To close the Property Mapping Rule Conflict Wizard, click OK.

    5. Select the Force mapping against direction of synchronization check box.

    Sample value:

    RACF_DOMAIN

  • vrtParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with the value $UserLocation$. Map this to vrtEntryParentDN on the RACF side.

    Sample value:

    profiletype=user,cn=mainframe1,o=mycompany,c=com

  • vrtRDN → vrtEntryRDN

    Create a new variable on the One Identity Manager side of type Script Property with the name vrtRDN and a data type of String. In the Scripts section, enter one of the following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.

    C# Script

    references VI.TSUtils.dll;

    return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfid=");

    VB Script

    References VI.TSUtils.dll

    Imports VI.TargetSystem.Base.Utils.LDAP

    Dim name as String = ""

    If useOldValues Then

    name = $cn[o]$

    Else

    name = $cn$

    End If

    return RDN.Create("cn",name).ToString().Replace("cn=","racfid=")

    Then map this to vrtEntryRDN on the RACF side.

    Sample value:

    USER1234

  • userPassword → racfPassword

    Used to change a user’s RACF password. A condition must be set on this rule to map the password only when there is a value to be copied.

    To add a condition

    1. Create the mapping.

    2. Edit the property mapping rule.

    3. Expand the Condition for execution section at the bottom of the dialog.

    4. Click Add condition and set the following condition (a blank password is indicated by using two apostrophe characters).

      Left.UserPassword<>''

  • UID_LDAPContainer ← vrLDAPContainerDN

    This is a workaround needed to support group mappings. Create a new fixed value variable on the RACF side of type String with no value called vrtLDAPContainerDN with the value set to $UserLocation$. This generates a property mapping rule conflict.

    To resolve the conflict

    1. In the Property Mapping Rule Conflict Wizard, select the first option and click OK.

    2. On the Select an element page, select DistinguishedName and click OK.

    3. Confirm the security prompt with OK.

    4. On the Edit property page:

      1. Clear Save unresolvable keys.

      2. Select Handle failure to resolve as error.

      3. Select Ignore case.

    5. To close the Property Mapping Rule Conflict Wizard, click OK.

Related topics

Object matching rules

  • DistinguishedName (primary rule) vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the RACF system.

    To convert this mapping into an object matching rule

    1. Select the property mapping rule in the rule window.

    2. Click in the rule view toolbar.

      A message appears.

    3. Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.

    4. Edit the object matching rule and ensure that the Case sensitive check box is not selected.

    Sample value:

    racfid=USER1234,profiletype=user,cn=mainframe1,o=mycompany,c=com

Related topics

Sample user mapping

The following figure shows the user mapping in operation.

Group mapping information

This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup. The data set profile mapping used later also maps to LDAPGroup, so a filter must be applied in order to tell these apart.

  • When creating the group mapping, add a new schema class as follows.

    Table 3: Schema class settings

    Property

    Value

    Schema type

    LDAPGroup

    Display name

    LDAPGroup (RACFGroup)

    Class name

    LDAPGroup_racfgroup

    Select objects: Condition

    StructuralObjectClass='racfgroup'

    Select objects: Ignore case

    Activated

  • Select this new schema class, LDAPGroup (RACF Group), for this mapping to racfGroup(all) on the RACFside.

For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating