6-18 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform Example 3: Corresponding Plug-In Implementation Vector evaluateVector operands { Vector all_mailValues = Vector operands.get0; Character charOperand = Character operands.get1; char charOperandValue = charOperand.charValue; Vector result = new Vector; …. …. …. return result; } Example 4: Attribute Mapping Rule cn,sn,mail: : :inetorgperson:description: :inetorgperson Plugin MyPlugincn, sn, mail Example 4: Corresponding Plug-In Implementation Vector evaluateVector operands { Vector all_cnValues = Vector operands.get0; Vector all_snValues = Vector operands.get1; Vector all_mailValues = Vector operands.get2; Vector result = new Vector; … … … return result; }

6.6 Configuring Matching Filters

By default, a connector retrieves changes to all objects in the container configured for synchronization. However, you may want to synchronize only certain types of changes, such as changes to just users and groups. While mapping rules allow you to specify how entries are converted from one directory to another, you can also filter objects that are synchronized among directories. Before changes from a connected directory are imported into Oracle Internet Directory, they can be filtered with the Connected Directory Matching Filter orclODIPConDirMatchingFilter attribute in the synchronization profile. Similarly, before changes are exported from Oracle Internet Directory to a connected directory, they can be filtered with the OID Matching Filter orclODIPOIDMatchingFilter attribute. For both attributes, you can specify a filter for connected directories that either obtain incremental changes through an LDAP search or that store changes in a change log, as described in the following sections: ■ Filtering Changes with an LDAP Search ■ Filtering Changes from a Change Log Configuring Directory Synchronization 6-19

6.6.1 Filtering Changes with an LDAP Search

For connected directories that do not support change logs, the latest footprint of the entries are obtained by performing an LDAP search. Because an LDAP search that is performed with objectclass= will return all entries in a given tree or subtree, to retrieve only the objects of interest for synchronization, you must provide a filter using LDAP filter syntax. For example, you can assign a search filter to the orclOdipConDirMatchingFilter attribute. You specify the filter as searchfilter=LDAP_SEARCH_FILTER. The following example creates an LDAP search filter that retrieves organizational units, groups, and users, but not computers: searchfilter=|objectclass=groupobjectclass=organizationalUnit objectclass=userobjectclass=computer

6.6.2 Filtering Changes from a Change Log

For connected directories that store changes in a change log, you can use the following simple operators, which are provided by Oracle Directory Integration Platform, to specify a matching filter for either the Connected Directory Matching Filter orclODIPConDirMatchingFilter or the OID Matching Filter orclODIPOIDMatchingFilter: ■ = equal operator ■ = not equal operator You can use the preceding operators with either LDAP or non-LDAP directories, provided they obtain incremental changes from a change log. Wildcards and pattern matching are not supported with the preceding operators if you do not use the searchfilter attribute. However, when multiple operator pairs are including in the filter, the expression is evaluated as a logical AND operation. For example, the following expression includes four operator pairs: objectclass=groupobjectclass=organizationalUnit objectclass=userobjectclass=computer The preceding expression evaluates as follows: objectclass is equal to group AND objectclass is equal to organizationalUnit AND objectclass is equal to user AND objectclass is NOT equal to computer For connected directories that store changes in a change log, a matching filter can synchronize changes for only the attributes that appear in the change log. If you include attributes in a matching filter that do not appear in the change log, the search operation will fail. For this reason, matching filters are of limited use for connected directories that store incremental changes in a change log. Note: Connected directories that obtain incremental changes through an LDAP search can also use the preceding operators without the searchfilter attribute. However, you can only specify a single expression or the search will fail.