Understanding Oracle Virtual Directory Mapping 5-5 common name. For example, the filter cn=Marc Boorshtein would have to read givenName=Marcsn=Boorshtein. Mapping Requirements The following is a list of hypothetical requirements for this example mapping: ■ When data is retrieved from the adapter, you want to form a cn by combining givenname with sn. ■ On the inbound side, you want to split cn into givenname and sn. If cn is present in the attribute request list, the list is changed to include givenname and sn. ■ If the inbound operation is a search operation, you want to check the search filter and convert the cn appropriately. Mapping def parceCNval: return splitval, ,2 def inbound: map the cn filters if operation == get: if haveAttributecn: addAttributegivenName addAttributesn cnFilters = findFilterscn for filter in cnFilters: target,op,val = filter.contents givenNameVal, snVal = parceCNval givenNameFilter = createFiltergivenName,op,givenNameVal snFilter = createFiltersn,op,snVal filter.contents = createAndFilter[givenNameFilter,snFilter] def outbound: outbound stuff addAttributeValuecn,getAttributeValuegivenName + + getAttributeValuesn Inbound Processing In the inbound function you want to convert any cn into separate givenname and sn attributes. For a search, you want to convert search filters for cn into a combined filter for givenname and sn so you create a new function, parceCN. On the first line of the mapping, the split function is imported from the Python string module. The parseCN Python function is defined to take a cn and split it into a first and last name based on detecting a space. Next, you define the inbound function. The inbound function could deal with any LDAP operation, but in this case, you are interested in looking at search operations. The first line after inbound is therefore an if block that tests the value of operation. The variable operation contains either add, bind, delete, get, modify, or rename. Note: In reality, this is more complex, for example, when middle names are used. For the purposes of this example, consider this simple case to get started. Contact your Oracle Support representative for help with advanced mapping situations. 5-6 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory If operation = get, the mapping proceeds by determining if the search request had cn in the attribute request list. Because cn can only be formed by combining givenname and sn, you must add givenname and sn to the search list using the addAttribute function. To process filter requests for cn, the mapping retrieves all filter elements whose target is the cn attribute. For each filter, the mapping parses it, calculates the corresponding givenname and sn values by calling parseCN, and creates new givenName and sn filters. Lastly, the inbound function of the mapping replaces the filter term with cn with a combined filter including the givenName and sn. Outbound Processing The outbound function handles all transactions that are flowing from the adapter to the client. In this example, you want to form a cn from two other values and you use the addAttributeValue function to create a cn value by combining givenname, a space, and the sn value. Notice how existing values are retrieved using the getAttributeValue function, which retrieves a specific attribute from the current entry returned to the client.

5.3.2 Mapping Microsoft Active Directory Schema

Overview Frequently applications require the use of an LDAP directory using inetorgperson and groupofuniquenames schema objects. However, many organizations use Microsoft Active Directory which supports only user and group objects. This example mapping deployment illustrates how to use a mapping to make an Active Directory schema look like inetorg style schema using inetorgperson or groupofuniquenames. Mapping Requirements The following is a list of the translation and mapping requirements for this example mapping: ■ Bidirectional mapping of attributes names. For example uniquemember = member, uid = samaccountname, and so on. ■ Conversion of objectclass names. Not only do the basic objectclass names have to change, but you must also consider that Microsoft Active Directory does not use auxiliary objectclasses. For example, objectclass values of interorgperson, organizationalperson, or person must be collapsed to just user. ■ Adding special attribute values. Microsoft requires the use of additional object type codes such as groupType or userAccountControl. Depending on the operation, special tags must be added to the request. ■ RDN conversion. Microsoft typically uses cn as the relative distinguished name of user accounts. Many applications expect the use of uid. Mapping Using the following small script, an inetOrg application may use a Microsoft Active Directory: def inbound: first rename the attributes rename{uniqueMember:member,uid:samaccountname,userpassword: unicodepwd,ntgrouptype:grouptype} map nessasary object class values if haveAttributeValueobjectclass,groupifuniquenames: removeAttributeValueobjectclass,groupofuniquenames Understanding Oracle Virtual Directory Mapping 5-7 addAttributeValueobjectclass,group if haveAttributeValueobjectclass,organizationalPerson: removeAttributeValueobjectclass,organizationalPerson addAttributeValueobjectclass,user if haveAttributeValueobjectclass,inetOrgPerson: removeAttributeValueobjectclass,inetOrgPerson addAttributeValueobjectclass,user when adding an entry, certain values need to be added if operation == add: if haveAttributeValueobjectClass,group: addAttributeValuegroupType,-2147483646 if not haveAttributesamaccountname: copycn,samaccountname if haveAttributeValueobjectClass,user: addAttributeValueuserAccountControl,66048 collapse aux classes removeAttributeValueobjectClass,person removeAttributeValueobjectClass,organizationalPerson set the rdn setRDNsamaccountname,cn def outbound: first rename the attributes rename{member:uniqueMember,samaccountname:uid,unicodepwd: userpassword,grouptype:ntgrouptype} map nessasary object class values if haveAttributeValueobjectclass,group: removeAttributeValueobjectclass,group addAttributeValueobjectclass,groupofuniquenames if haveAttributeValueobjectclass,user: removeAttributeValueobjectclass,user addAttributeValueobjectclass,organizationalPerson Inbound Processing The first line of the inbound function renames all inetorg attributes to Active Directory attributes. The rename function is called for all operations. For example, if the operation is a search, then all requested attributes and all attributes in the filter are renamed. If the operation is an add or modify, then all attributes effected are renamed. The second section of the inbound function replaces inetOrg object classes with InetAD object classes. Notice that you can use conditional statements to determine what actions should be performed. The third section of the inbound function checks to see if the operation is an add, and if so, it adds the specific attribute information required by Active Directory. In the fourth section of the inbound function all auxiliary object classes are removed because Active Directory does not allow for an auxiliary object class to be directly specified during an add. In the last section of the inbound function the RDN is changed from uid to cn. Notice that the code converts samaccountname to cn because uid was already renamed to