Integrating Oracle Identity Manager with Sun Java System Directory Server: Performing Reconciliation

Purpose

This OBE tutorial describes and shows you how to use Oracle Identity Manager to reconcile with an external resource automatically. New accounts, as well as changes to existing accounts, can be retrieved and transferred into Oracle Identity Manager. For this tutorial, Jim and Jane function as the users, and Sun Java System Directory Server acts as the resource.

Time to Complete

Approximately 2 hours

Topics

This OBE tutorial covers the following topics:

 Overview
 Scenario
 Prerequisites
 Importing a Connector
 Making the Connector Operable
 Modifying the Lookup Definitions
 Modifying the Create User Form
 Modifying the iPlanet User Process Form
 Creating and Provisioning Resources for Users
 Reconciling with Sun Java System Directory Server
 Summary
 Related information

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: Because this action loads all screenshots simultaneously, response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Identity Manager.

Overview

Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that controls user accounts and access privileges within enterprise IT resources centrally. It provides the functionalities of provisioning, identity and role administration, approval and request management, policy-based entitlement management, technology integration, and audit and compliance automation.

Features and benefits of Oracle Identity Manager include identity and role administration (user and group management, self-service functionalities for users, and delegated administration), provisioning (approval and request management, and configurable workflow models), policy-based entitlements, reconciliation, and attestation support (for audit and compliance purposes).

Back to Topic List

Scenario

Linda is employed as a network administrator for Mydo Main Corporation. In Mydo Main, she is responsible for performing identity and access management tasks on various users within the organization.

Linda needs to create and maintain users in Oracle Identity Manager so that these users can be provisioned with resources and entitlements in various target systems. She reconciles Oracle Identity Manager with Sun Java System Directory Server, Mydo Main's authoritative source for users. This process, known as trusted source reconciliation, involves identifying new users in Sun Java System Directory Server, and creating corresponding records in Oracle Identity Manager. This process also modifies and synchronizes Oracle Identity Manager users, whose account information in Sun Java System Directory Server is changed.

Jane is employed in the Product Management department of Mydo Main Corporation. She is a full-time employee, based in Atlanta, and needs to be provisioned with the Sun Java System Directory Server resource. In addition, she manages Jim, who is a contractor for Mydo Main.

Back to Topic List

Prerequisites

Before starting this tutorial, you should:

1.

Complete the OBE titled "Installing Oracle Identity Manager."

2.

Complete the OBE titled "Integrating Oracle Identity Manager with Oracle Database: Performing User Management and Provisioning."

Back to Topic List

Importing a Connector

The purpose of this OBE is for Oracle Identity Manager to retrieve user records from a trusted source. For this OBE, Sun Java System Directory Server functions as the trusted source.

To have Oracle Identity Manager perform trusted source reconciliation with Sun Java System Directory Server, Linda must import two *.xml files into the Oracle Identity Manager environment of Mydo Main. These files are:

These two files represent an Oracle Identity Manager Connector for this type of directory server. So, by importing these *.xml files, Linda is importing the connector for Sun Java System Directory Server into Oracle Identity Manager.

To import this connector, perform the following steps:

1.

Launch your Oracle Identity Manager Server, Administrative Console, and Design Console.

Note: For more information about loading, setting up, or starting Oracle Identity Manager, refer to the OBE titled "Installing Oracle Identity Manager."

 

2.

Log in to your Administrative Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

Note: The first time you log in to Oracle Identity Manager with a particular account, you must select and answer "challenge" questions. These questions are used to verify your identity if you need to reset your password. However, for all subsequent logins with that account, these questions do not appear. Instead, you are taken directly to the Home page of your Oracle Identity Manager Administrative Console.

For more information about selecting and answering "challenge" questions, refer to the OBE titled "Installing Oracle Identity Manager."

 

3.

Open the Import form in the Deployment Management folder.

Note: If the Warning – Security window appears, click the Yes or Grant This Session button, depending on which version of the Web browser is installed on your machine.

 

4.

The “Please choose a file for import” window appears. In this window, select the folder path where the export file resides, along with the name of the *.xml file.

For this OBE, you are selecting the iPlanetResourceObject.xml file, which can be found in the E:\OIM_Installs\OIM_CP_900\Directory Servers\Sun Java System Directory Server\Sun Java System Directory Server Rev 4.1.0\xml directory (after unzipping the Sun Java System Directory Server Rev 4.1.0.zip file).

 

5.

Select the iPlanetResourceObject.xml file. Click Open.

 

6.

The Deployment Manager window appears. In this window, click Add File.

 

7.

The Deployment Manager – Import window appears. Click Next.

 

8.

A Confirmation window appears. Click Next.

 

9.

You do not need to provide the parameter values at this time. Click Skip.

 

10.

A Confirmation window appears. Click View Selections.

 

11.

The Deployment Manager – Import window appears. Click Import.

 

12.

A Confirmation window appears. Click Import.

 

13.

A Success window appears, indicating that the iPlanetResourceObject.xml file is imported successfully. Click OK.

 

14.

The Deployment Manager – Import window appears again. You are now ready to import the second *.xml file (that is, the iPlanetResourceXLObject.xml file). To import this file, click Add File.

 

15.

The “Please choose a file for import” window appears. In this window, select the folder path where the export file resides, along with the name of the *.xml file.

For this OBE, you are selecting the iPlanetResourceXLObject.xml file, which can be found in the E:\OIM_Installs\OIM_CP_900\Directory Servers\Sun Java System Directory Server\Sun Java System Directory Server Rev 4.1.0\xml directory.

 

16.

Select the iPlanetResourceXLObject.xml file. Click Open.

 

17.

The Deployment Manager window appears. In this window, click Add File.

 

18.

The Deployment Manager – Import window appears. Click Next.

 

19.

A Confirmation window appears. Click Next.

20.

The Deployment Manager – Import window appears. Click Import.

 

21.

A Confirmation window appears. Click Import.

22.

A Success window appears, indicating that the iPlanetResourceXLObject.xml file is imported successfully. Click OK.

As a result of importing both *.xml files, the connector for Sun Java System Directory Server is also imported into Oracle Identity Manager.

Now that Linda imported this connector, she must configure it so that it is operable within Mydo Main's Oracle Identity Manager environment.

Back to Topic List

Making the Connector Operable

In the previous section of this OBE, Linda imported an Oracle Identity Manager Connector for Sun Java System Directory Server into her corporation's Oracle Identity Manager environment. Now, she must configure this connector so that it is operable within the environment.

This includes the following:

To make the connector operable, perform the following steps:

1.

Copy the xliIPlanet.jar file (which resides within the E:\OIM_Installs\OIM_CP_900\Directory Servers\Sun Java System Directory Server\Sun Java System Directory Server Rev 4.1.0\lib directory) to the E:\oracle\oim_server\xellerate\JavaTasks directory.

 

2.

Log in to your Design Console with the "superuser" account for Oracle Identity Manager (that is, enter xelsysadm in the User ID field and abcd1234 in the Password field).

 

3.

Expand the Development Tools folder, and double-click the Adapter Manager node.

 

4.

The list of adapters that Linda imported earlier appears. Select the Compile All option. Click Start.

Oracle Identity Manager begins to recompile the adapters.

After all adapters are recompiled, an OK message is displayed in the Status column for each adapter. This signifies that the adapters are recompiled successfully, and can be used within Mydo Main's Oracle Identity Manager environment.

 

5.

Expand the Resource Management folder, and double-click the IT Resources node.

 

6.

In the Name field, enter iPlanet User .

 

7.

Double-click the Type lookup field (in the Type text field). From the Lookup window that appears, select LDAP Server. Click OK.

 

8.

Click Save.

 

9.

The parameters for the IT resource type appear. Enter the values for the parameters, as follows (double-click each Value field to enter the value):

Parameter Value
Admin id cn=Directory Manager
Admin Password abcd1234
Server Address ten.mydomain.com
Port 2389
SSL false
Root DN dc=contractors,dc=com
Use XL Org Structure false
Prov Attribute Lookup Code AttrName.Prov.Map.iPlanet
Recon Attribute Lookup Code AttrName.Recon.Map.iPlanet
Last Recon TimeStamp 0

 

10.

Click Save.

Linda configured the Oracle Identity Manager Connector so that it is operable with Mydo Main Corporation's environment. One component of this connector is the iPlanet User process form. This form contains information about the user records Oracle Identity Manager retrieves from Sun Java System Directory Server. This information includes each user's department, geographic location, organization, role, group membership(s), and job titles.

However, the definitions that reference this information (that is, the lookup definitions) may not accurately reflect the user-related values, which are transferred into Oracle Identity Manager via reconciliation. As an example, the predefined values for the Department lookup definition are Marketing and Finance. Some users, who are brought into Oracle Identity Manager, belong to the Development, Product Management, or Human Resources department. Therefore, Linda must modify the Department lookup definition so that it reflects these values.

In the next section of this OBE, Linda learns how to modify the lookup definitions, which are contained within the Oracle Identity Manager Connector that she imported and configured.

Back to Topic List

Modifying the Lookup Definitions

In the previous section of this OBE, Linda configured a connector so that it is operable with Mydo Main Corporation's Oracle Identity Manager environment. One component of this connector is the iPlanet User custom process form. This form contains information about the user records Oracle Identity Manager retrieves from a trusted source, including each user's department, geographic location, organization, role, group membership(s), and job titles.

However, the lookup definitions that reference this information may not accurately reflect the user-related values, which are transferred into Oracle Identity Manager via reconciliation. As an example, the predefined values for the Department lookup definition are Marketing and Finance. Some users, who are brought into Oracle Identity Manager, belong to the Development, Product Management, or Human Resources department. Therefore, Linda must modify the Department lookup definition so that it contains these values.

To modify the lookup definitions, which are contained within the connector that is imported and configured, perform the following steps:

1.

Expand the Xellerate Administration folder of the Design Console, and double-click the Lookup Definition node.

 

2.

Enter Lookup.IPNT.Department in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the departments to which users can belong.

 

3.

Use the Add button to include the following entries for this lookup definition (double-click each field to enter a value):

Code Key Decode Language Country
Development Development en us
Product Management Product Management en us
Human Resources Human Resources en us

 

4.

Click Save.

Linda edited this lookup definition. She is now ready to modify the lookup definition that represents the geographic locations where users can reside.

 

5.

Click New.

Oracle Identity Manager clears the contents of the existing lookup definition from the form.

 

6.

Enter Lookup.IPNT.Location in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the geographic locations where users can reside.

 

7.

Use the Add button to include the following entries for this lookup definition:

Code Key Decode Language Country
Redwood Shores Redwood Shores en us
Atlanta Atlanta en us
New York New York en us
Los Angeles Los Angeles en us

 

8.

Click Save.

Linda edited this lookup definition. She is now ready to modify the lookup definition that represents the organizations to which users can belong.

 

9.

Click New.

Oracle Identity Manager clears the contents of the existing lookup definition from the form.

 

10.

Enter Lookup.IPNT.Organization in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the organizations to which users can belong.

 

11.

Use the Delete button to remove the following entries from this lookup definition (highlight each entry and click Delete):

Code Key Decode Language Country
ou=People2 ou=People2 en us
ou=People3 ou=People3 en us

 

12.

Click Save.

Linda edited this lookup definition. She is now ready to modify the lookup definition that represents the roles that users can have.

 

13.

Click New.

Oracle Identity Manager clears the contents of the existing lookup definition from the form.

 

14.

Enter Lookup.IPNT.Role in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the roles that users can have.

 

15.

Use the Delete button to remove the following entries from this lookup definition:

Code Key Decode Language Country
cn=cn=nsDisabledRole\,dc=corp\,dc=mphasis\, dc=com,cn=nsAccountInactivationTmp cn=nsDisabledRole,dc=corp, dc=mphasis,dc=com en US
cn=nsAccountInactivation_cos nsAccountInactivation_cos en US
cn=nsDisabledRole nsDisabledRole en US
cn=nsManagedDisabledRole nsManagedDisabledRole en US

 

16.

Enter Users in the Group field.

 

17.

Click Save.

Linda edited this lookup definition. She is now ready to modify the lookup definition that represents the groups of which users can be members.

 

18.

Click New.

Oracle Identity Manager clears the contents of the existing lookup definition from the form.

 

19.

Enter Lookup.IPNT.UserGroup in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the groups of which users can be members.

 

20.

Use the Delete button to remove the following entries from this lookup definition:

Code Key Decode Language Country
cn=GROUP1,ou=Groups GROUP1 en US
cn=GROUP2,ou=Groups GROUP2 en US
cn=GROUP3,ou=Groups GROUP3 en US

 

21.

Enter Users in the Group field.

 

22.

Click Save.

Linda edited this lookup definition. She is now ready to modify the lookup definition that represents the job titles that users can have.

 

23.

Click New.

Oracle Identity Manager clears the contents of the existing lookup definition from the form.

 

24.

Enter Lookup.IPNT.UserTitle in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the job titles that users can have.

 

25.

Use the Add button to include the following entries for this lookup definition:

Code Key Decode Language Country
Mr. Mr. en us
Dr. Dr. en us
Miss Ms. en us
Mrs. Mrs. en us
Honorable Hon. en us

 

26.

Use the Delete button to remove the following entries from this lookup definition:

Code Key Decode Language Country
Mr Mr en us
Doc Doc en us
Mrs Mrs en us

 

27.

Click Save.

Linda edited this lookup definition. All of the lookup definitions, which are contained within the connector she imported and configured, now reflect the values of the user records that are transferred into Oracle Identity Manager via reconciliation.

Trusted source reconciliation results in a user being created within Oracle Identity Manager. The user information can now be maintained and administered using the Oracle Identity Manager user profile form (that is, the Create User form). As time progresses, this form may need to be extended to take into account additional information being sent from the authoritative source. Linda now faces such a scenario and needs to modify the Create User form.

In the next section of this OBE, Linda learns how to modify the Create User form.

Back to Topic List

Modifying the Create User Form

In the previous section of this OBE, Linda modified the lookup definitions that are contained within the connector she imported and configured. As a result, they reflect the values of the user records that are transferred into Oracle Identity Manager via reconciliation.

After a user record is transferred into Oracle Identity Manager, a copy is stored within the Create User form. However, although information may be required for that user to be created, the information may not be available in the form. As an example, a user's role may be that of a contractor, but this role is not available within the form. Or, a field may need to exist in the form, signifying that this user has special privileges with the company's resources. Therefore, Linda needs to modify the Create User form so that it reflects these fields and values.

To modify the Create User form, perform the following steps:

1.

Expand the Xellerate Administration folder of the Design Console, and double-click the Lookup Definition node.

 

2.

Enter Lookup.Users.Role in the Code field and click Query.

The lookup definition for which Linda queried appears.

This lookup definition represents the default roles that users can have within Oracle Identity Manager.

Note: This lookup definition differs from the Lookup.IPNT.Role definition you modified in the section of this OBE titled " Modifying the Lookup Definitions." The Lookup.IPNT.Role lookup definition is associated with the roles a user can have with the Sun Java System Directory Server resource only. The Lookup.Users.Role lookup definition corresponds to a user's roles with all resources.

 

3.

Use the Add button to include the following entry for this lookup definition:

Code Key Decode Language Country
Contractor Contractor en US

 

4.

Enter Users in the Group field.

 

5.

Click Save.

Linda edited this lookup definition. As a result, the role of Contractor is now available within the Create User form.

Linda is now ready to create a check box for this form. This check box, titled " Special," is reserved for users who have distinctive privileges with the company's resources.

 

6.

Expand the Xellerate Administration folder of the Design Console, and double-click the User Defined Field Definition node.

 

7.

Enter Users in the Form Name field and click Query.

The tabs of this form are active, signifying that Linda can create fields for the Create User form. One such field is a check box. This check box, titled " Special," is reserved for users who have distinctive privileges with the company's resources.

 

8.

To create this check box, click the Add button that appears within the User Defined Columns tab.

 

9.

The User Defined Fields window appears. Populate the fields of this window, as follows:

Field Value
Label Special
DataType boolean
Field Type Check Box
Column Name SPECIAL (it appears as USR_UDF_SPECIAL)
Default Value 0 ( 0 indicates that the check box is deselected; 1 signifies that the check box is populated.)
Sequence 1

 

10.

Click Save. Then, click Close.

Note: If a Closing Form window appears, click Yes.

Information about the check box Linda created now appears within the User Defined Columns tab of the User Defined Field Definition form.

Linda modified the Create User form. She configured this form so that it contains the role of Contractor. She also created a check box for this form. This check box, titled " Special," is reserved for users who have distinctive privileges with the company's resources.

In the section of this OBE titled " Modifying the Lookup Definitions,� Linda edited the lookup definitions that reference the iPlanet User process form. This form contains information about the user records Oracle Identity Manager retrieves from the Sun Java System Directory Server trusted source.

This process form also has default values, or values that Oracle Identity Manager uses to populate various fields of the form. However, because Linda modified the lookup definitions, the default values of the process form are no longer synchronized with the values contained within the lookup definitions. Therefore, she must modify the default values, so that they reflect the values of the lookup definitions.

In the next section of this OBE, Linda learns how to modify the default values of the iPlanet User custom process form.

Back to Topic List

Modifying the iPlanet User Process Form

Linda is now ready to modify the iPlanet User process form. This form contains information about the user records that Oracle Identity Manager retrieves from the Sun Java System Directory Server trusted source.

This process form also has default values, or values that Oracle Identity Manager uses to populate various fields of the process form. However, in the section of this OBE titled " Modifying the Lookup Definitions,” Linda edited the lookup definitions that reference this form. As a result, the default values of the process form are no longer synchronized with the values contained within the lookup definitions. Therefore, Linda must modify the default values, so that they reflect the values of the lookup definitions.

To modify the iPlanet User process form, perform the following steps:

1.

Expand the Development Tools folder of the Design Console, and double-click the Form Designer node.

 

2.

Enter IPNT_USR in the Table Name field (it appears as UD_IPNT_USR ). Click Query.

The form for which Linda queried appears.

Note: The UD_IPNT_USR value represents how the process form is recognized within the database.

 

3.

The default values for the process form appear. Double-click the Default Value field for each of the following values (so that you can delete them):

Field Default Value
Title Mr
Department Department1
Location Bangalore

 

4.

Add the following default values to this form (double-click each Default Value field to enter the value):

Field Default Value
Password abcd1234
Location Redwood Shores

 

5.

Click Save.

Linda modified the default values of the iPlanet User process form. As a result, they reflect the values of the lookup definitions that reference this form.

However, this process form has two child forms. They are:

  • iPlanet User Role: This child form contains information about the roles users can have. These users are transferred from Sun Java System Directory Server to Oracle Identity Manager via trusted source reconciliation.

  • iPlanet User Group: This child form contains information about the groups to which these users can belong.

The default values within these child forms must also be synchronized with the values of the lookup definitions that reference them. Therefore, Linda needs to modify these default values, accordingly. First, she must modify the default value of the iPlanet User Role child form.

 

6.

Click New.

Oracle Identity Manager clears the contents of the existing process form.

 

7.

Enter IPNT_ROL in the Table Name field (it appears as UD_IPNT_ROL ). Click Query.

The child form for which Linda queried appears.

 

8.

Remove the following default value from the child form:

Field Default Value
Role cn=User Role

 

9.

Add the following default value to this form:

Field Default Value
Role ROLE1

 

10.

Click Save.

Linda modified the default value of the iPlanet User Role child process form. As a result, it now reflects the value of the lookup definition that references this form.

Linda is now ready to modify the default value of the iPlanet User Group child form (the second child form).

 

11.

Click New.

Oracle Identity Manager clears the contents of the existing child form.

 

12.

Enter IPNT_GRP in the Table Name field (it appears as UD_IPNT_GRP ). Click Query.

The child form for which Linda queried appears.

 

13.

Remove the following default value from the child form:

Field Default Value
Group Name cn=QA Managers,ou=groups

 

14.

Click Save.

Linda modified the default values of the iPlanet User process form, as well as the default values associated with the iPlanet User Role and iPlanet User Group child forms. These values now reflect the values of the lookup definitions that reference this form.

Linda is now ready to create two users within Oracle Identity Manager: Jim and Jane. Jane, who is based in Atlanta, is a full-time employee, and needs to be provisioned with the Sun Java System Directory Server resource. In addition, she is employed in the Product Management department of Mydo Main Corporation. She manages Jim, who is a contractor for Mydo Main.

In the next section of this OBE, Linda creates users within Oracle Identity Manager and provisions them with resources.

Back to Topic List

Creating and Provisioning Resources for Users

Linda is now ready to create records for two users within Oracle Identity Manager: Jim and Jane. Jane is employed in the Product Management department of Mydo Main Corporation. She is a full-time employee, based in Atlanta, and manages Jim, a contractor for Mydo Main.

Jane needs to be provisioned with the Sun Java System Directory Server resource. However, before Linda can provision Jane with this resource, she needs to start it. Otherwise, Oracle Identity Manager cannot connect to the resource, and Jane cannot be provisioned with it.

To create and provision resources for users, perform the following steps:

1.

Double-click the Start Sun icon on the Desktop.

The Start Sun window appears.

This signifies that Linda started the Sun Java System Directory Server resource. She is now ready to create a record for Jane, a full-time employee for Mydo Main Corporation. Jane is the user who is to be provisioned with this resource.

 

2.

From the Oracle Identity Manager Administrative Console, open the Create User form in the Users folder.

 

3.

Complete the Create User form, as follows:

Field Name Field Value
User ID JANE.FULLTIME
First Name Jane
Last Name Fulltime
Organization Xellerate Users
User Type End-User Administrator
Employee Type Full-Time Employee
Email Address jane.fulltime@mydomain.com
Password jane
Confirm Password jane

Note: There is a Special check box on the Create User form. This reflects the check box Linda created in the Modifying the Create User Form section of this OBE.

 

4.

Click Create User.

The User Detail form appears.

This signifies that the record for Jane is created. Linda is now ready to create a record for Jim. Jim is a contractor for Mydo Main Corporation. In addition, Jane is his manager.

 

5.

Open the Create User form in the Users folder.

Linda is now ready to create a record for Jim, a contractor for Mydo Main Corporation.

6.

Complete the Create User form, as follows:

Field Name Field Value
User ID JIM.AUTOPROV
First Name Jim
Last Name Autoprov
Organization Xellerate Users
User Type End-User
Employee Type Contractor
Manager ID JANE.FULLTIME
Email Address jim.autoprov@mydomain.com
Password jim
Confirm Password jim

Note: There is now a Contractor role within the Employee Type combo box of the Create User form. This reflects the Lookup.Users.Role lookup definition that Linda modified in the Modifying the Create User Form section of this OBE.

 

7.

Click Create User.

The User Detail form appears.

This signifies that the record for Jim is created. Linda is now ready to provision the Sun Java System Directory Server resource to Jane.

 

8.

Open the Manage User form in the Users folder.

The Manage User form appears.

 

9.

Select User ID from the combo box that is displayed within this form. Then, within the text box that appears to the right of the combo box, enter the ID of the designated user (that is, enter JANE.FULLTIME into the text box). Lastly, click Search User.

 

10.

From the result set that is displayed, click the link that contains the ID of this designated user.

The User Detail form appears.

 

11.

Select Resource Profile from the combo box that is displayed within the User Detail form.

 

12.

From the Resource Profile form that appears, click Provision New Resource.

 

13.

The Select a Resource panel appears. From this panel, assign the iPlanet User connector to this user. Then, click Continue.

Note: The iPlanet User connector represents the Sun Java System Directory Server resource, which Linda is provisioning for this user.

 

14.

The Verify Resource Selection panel appears. Click Continue.

 

15.

The Provide Process Data panel appears. Populate this panel, as follows:

Field Name Field Value
Title Mrs.
Department Product Management
Location Atlanta

Note: The values that appear within the fields of this panel reflect the changes Linda made to the lookup definitions in the " Modifying the Lookup Definitions” section of this OBE.

 

16.

Click Continue.

The iPlanet User Role child form appears.

Note: The Role field of this child form is populated with the value of ROLE1. This reflects the modification Linda made in the " Modifying the iPlanet User Process Form" section of this OBE.

 

17.

Click Continue. The iPlanet User Group child form appears.

Note: The Group Name field of this child form is no longer populated (that is, the cn=QA Managers,ou=groups value does not appear within this field). This reflects the modification Linda made in the " Modifying the iPlanet User Process Form" section of this OBE.

 

18.

Click Continue. The Verify Process Data panel appears.

 

19.

Click Continue. A "Provisioning successfully initiated." message appears. This signifies that the Sun Java System Directory Server resource, which is represented by the iPlanet User connector, is provisioned for this user.

Linda created records for two users within Oracle Identity Manager: Jim and Jane (who are employed with Mydo Main Corporation). She also provisioned Jane with the Sun Java System Directory Server resource.

Linda is ready to configure Oracle Identity Manager so that it reconciles with this resource. Any new user accounts, as well as changes to existing accounts, can be retrieved and transferred into Oracle Identity Manager. This results in these accounts being synchronized between Sun Java System Directory Server and Oracle Identity Manager.

In the next section of this OBE, Linda learns how to reconcile with Sun Java System Directory Server.

Back to Topic List

Reconciling with Sun Java System Directory Server

Linda is ready to configure Oracle Identity Manager so that it can reconcile with Sun Java System Directory Server. Any new user accounts, as well as changes to existing accounts, can be retrieved and transferred into Oracle Identity Manager. Because of this, these accounts can be synchronized between Sun Java System Directory Server and Oracle Identity Manager.

To reconcile with Sun Java System Directory Server, perform the following steps:

1.

Expand the Xellerate Administration folder of the Design Console, and double-click the Task Scheduler node.

 

2.

Enter iPlanet User Recon Task in the Scheduled Task field. Click Query.

The record for which Linda queried appears.

 

3.

Deselect the Disabled check box.

4.

Within the Interval panel, select the Recurring Intervals option. Then, enter 1 in the text box that appears below this option. Finally, make sure that the Minute(s) selection appears in the combo box that is adjacent to this text box.

 

5.

Within the Task Attributes tab of the Task Scheduler form, the parameters for the scheduled task appear. Enter the values for these parameters, as follows (double-click each Attribute Value field to enter the value):

Attribute Name Attribute Value
UserContainer ou=people,dc=contractors,dc=com
Password abcd1234
Role Contractor

 

6.

Click Save.

Oracle Identity Manager retrieves any changes to existing accounts from Sun Java System Directory Server automatically.

The Reconciliation Manager form is a "storage facility" that holds any user accounts, which are brought into Oracle Identity Manager via reconciliation. Therefore, to verify that modifications to existing user accounts are transferred from Sun Java System Directory Server to Oracle Identity Manager successfully, open this form.

 

7.

Expand the User Management folder of the Design Console, and double-click the Reconciliation Manager node.

 

8.

Click Query.

A table appears, displaying the user accounts that are transferred into Oracle Identity Manager via reconciliation.

 

9.

Double-click the row header that displays JANE.FULLTIME. This is the ID of the user to whom Linda provisioned the Sun Java System Directory Server resource.

Information about this user appears.

Notice that Event Linked appears within the Status field. This signifies that information about this account is linked from Sun Java System Directory Server to Oracle Identity Manager.

Linda is now ready for Oracle Identity Manager to retrieve all "new" records from Sun Java System Directory Server for users who have a role of Contractor. For this to occur, Sun Java System Directory Server needs to function as an authoritative (or trusted) source. Because of this, the value of the TrustedSource attribute for the iPlanet User Recon Task scheduled task must change from False to True . Therefore, Linda needs to return to the scheduled task.

 

10.

Within the Task Attributes tab of the Task Scheduler form, modify the value for the following parameter:

Attribute Name Attribute Value
TrustedSource true

 

11.

Click Save.

Oracle Identity Manager retrieves any new user accounts from Sun Java System Directory Server automatically. To verify that these user accounts are transferred from Sun Java System Directory Server to Oracle Identity Manager successfully, return to the Reconciliation Manager form.

 

12.

Click New.

Oracle Identity Manager clears the contents of the Reconciliation Manager form.

 

13.

Click Query. A table appears, displaying the new user accounts that are transferred into Oracle Identity Manager via reconciliation.

Notice that all of these accounts are preceded by " CONTR," signifying that these users have a role of Contractor.

Linda is now ready to verify that both the new accounts and the modifications to the existing accounts are transferred into Oracle Identity Manager successfully. To do so, she needs to access the Manage User form of the Administrative Console.

 

14.

Open the Manage User form in the Users folder. The Manage User form appears.

15.

Select User ID from the combo box that is displayed within this form. Then, within the text box that appears to the right of the combo box, enter *. This value represents a wildcard character. Lastly, click Search User.

Oracle Identity Manager displays the accounts, from Sun Java System Directory Server, of all new users it received with a role of Contractor. In addition, it contains all modifications to existing user accounts.

This signifies that Oracle Identity Manager reconciled with Sun Java System Directory Server successfully. That is, any new user accounts, as well as changes to existing accounts, are retrieved and transferred into Oracle Identity Manager. Because of this, these accounts are synchronized between Sun Java System Directory Server and Oracle Identity Manager.

Back to Topic List

Summary

In this lesson, you learned how to:

 Import a connector
 Make a connector operable
 Modify lookup definitions
 Modify the Create User form
 Modify the iPlanet User process form
 Create and provision resources for users
 Reconcile with Sun Java System Directory Server

Back to Topic List

Related Information

 To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum.

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

Left Curve
Popular Downloads
Right Curve
Untitled Document