Changelog Plug-Ins Understanding the General Purpose Plug-Ins

4-30 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory For Microsoft Active Directory Use the adchangelog plug-in with Microsoft Active Directory. When deploying the adchangelog plug-in, you must: ■ Set the adapter’s Remote Base to an empty value; that is, blank, nothing. ■ Set the adapter’s Mapped Namespace to: cn=changelog

4.2.20.3 Configuration Parameters

Each of the changelog plug-ins have the following configuration parameters: oamEnabled True or False: Indicates whether Oracle Access Manager is deployed with Oracle Identity Manager. By default, Oracle Access Manager is not deployed, therefore the default setting for this parameter is false. directoryType Identifies the type of source LDAP directory server. Supported values are OID, ActiveDirectory, and SunOne. The default value is OID. mapObjectclass Defines the objectclass value translation in the form of OIM-objectclass=Source-Directory-objectclass, for example: inetorgperson=user. You can set the mapObjectclass configuration parameter multiple times to define translations for multiple objectclasses. In the Oracle Identity Manager use case, the following parameters are configured out-of-the-box: ■ For Active Directory : inetorgperson=user, orclidxperson=user, and groupOfUniqueNames=group ■ For Oracle Directory Server Enterprise Edition : container=nsContainer and changelog=changelogentry ■ For Oracle Internet Directory : container=orclContainer sizeLimit Identifies the maximum number of changelog entries to be returned. A zero 0 or a negative value means no size restriction. If the incoming search request specifies a size constraint, then the smaller value is used. For example, if you specify the plug-ins sizeLimit as 100, and the search requests count limit is 200, then the actual size limit of the request is reset to 100. Note: The oamEnabled parameter for the UserManagement plug-in and the changelog plug-in must have identical values. Note: The directoryType parameter for the UserManagement plug-in and the changelog plug-in must have identical values. Note: The mapObjectclass parameter for the UserManagement plug-in and the changelog plug-in must have identical values. Understanding Oracle Virtual Directory Plug-Ins 4-31 mapAttribute Defines the attribute translation in the form of Source-Directory-attribute=OIM-attribute, for example: orclGUID=objectGuid. You can set the mapAttribute configuration parameter multiple times to define translations for multiple attributes. targetDNFilter Identifies the container to retrieve changes from. This parameter can be set multiple times to identify multiple containers to retrieve changes from. If set multiple times, the targetDN filter should look similar to the following example, and this targetDN filter is ANDed to the incoming filter: |targetDN=cn=users,dc=mycom1targetDN=,cn=groups,dc=mycom2 Sample values include: ■ ,cn=xxx,dc=yyy ■ cn=xxx,dc=yyy ■ cn=xxx,dc=yyy must be a descendant of the local base of the adapter specified in virtualDITAdapterName All of these samples have the same meaning. requiredAttribute Comma-separated list of attributes to always be retrieved from the source LDAP directory server, regardless of the return attributes list specified for changelog queries to Oracle Virtual Directory. addAttribute Comma-separated list of attributes to be added to the normalized changelog entry. For example, orclContainerOC=1, changelogSupported=1, where =1 indicates the changes retrieved from the source directory which support changelog. mapUserState True or False. This parameter enables or disables the mapping of the directory specific account attributes to Oracle Virtual Directory virtual account attributes. modifierDNFilter Single-valued configuration parameter that defines an LDAP filter on modifiersName. This parameter is ANDed to the incoming filter. An example value can be modifiersName=cn=myadmin,cn=users,dc=mycom. virtualDITAdapterName Identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to A1, which is the user adapter name. In a split-user profile scenario, you can set this parameter to J1;A2, where J1 is the JoinView adapter name, and A2 is the corresponding user adapter in the J1. This parameter can be multi-valued, which means there are multiple base entry adapters configured for the same back-end directory server as this changelog adapter. Note: This configuration does not take effect if directoryType=ActiveDirectory. 4-32 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory If you set this parameter to A1, the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.

4.2.21 Consolidated Changelog Plug-In

The Consolidated Changelog plug-in provides a consolidated changenumber when Oracle Virtual Directory is providing a consolidated view of the identities from multiple directories. This plug-in also provides a consolidated, normalized view of the data from the different changelogs. You can only deploy this plug-in as a Global plug-in. The Consolidated Changelog plug-in is based on the concept of providing a unified cookie for the consolidated changelog. This cookie is constructed based on the adapters involved in providing a consolidated view of the directories for which adapters are configured in Oracle Virtual Directory. The consolidated changenumber is a cookie of the form: changelogAdapterName1:changenumber1;changelogAdapterName2changenumber2;ta rgetDN:dn Where: ■ changelogAdapterName1 is the source adapter from which the changelog is coming. ■ changenumber1 is the changeNumber of this entry in changelogAdapter1. ■ changelogAdapterName2 is a second changelog adapter configured in this Oracle Virtual Directory. ■ changenumber2 is the changeNumber last read from changelogAdapter2. ■ targetDN:dn is the targetDN of this changelog entry as in the back-end directory. This value is optional, and used for diagnostic purposes only. For example, assume you have two directories for which the changelog is to be consolidated, and that the changelog adapters are CA1 and CA2. Also, assume that the changenumber from the Directory server where CA1 is pointing starts with 101 and the Directory server where CA2 is pointing starts with 501. Then the cookie value for change 101 for CA1 is: CA1:101;CA2:501;targetDN:targetDN_of_CA1_101 Similarly, the cookie value for CA2 is: CA2:501;CA1:101;targetDN:targetDN_of_CA2_501 The length of this cookie value is 2048 bytes. As with a regular directory, the Consolidated Changelog plug-in supports the lastChangeNumber query, as follows: ldapsearch -h ovdHost -p ovdPort -D ovdAdmin -w ovdAdminPwd -b cn=changelog -s base objectclass= lastChangeNumber Example 4–7 shows a sample returned entry. Example 4–7 Sample Entry Returned by lastChangeNumber Query cn=Changelog lastChangeNumber=Changelog_ActiveDirectory:165095;Changelog_OID:408;Changelog_ Understanding Oracle Virtual Directory Plug-Ins 4-33 SunOne:298328 With this plug-in deployed, supported query filters must be in a form that combines exactly one filter changenumber=cookie with one or more of the following filters: ■ targetdn=domain where the domain is a valid domain dn. For example, targetdn=cn=.yyy, dc=zzz ■ modifiersname=xxx where xxx is a dn. ■ modifiersname=yyy where yyy is a dn. ■ changetype=xxx where xxx can be ADDMODIFYDELETEADDRMODIFY ■ changetype=yyy where yyy can be ADDMODIFYDELETEADDRMODIFY

4.2.21.1 Configuration Parameters

The Consolidated Changelog plug-in has no configuration parameters. To enable the Consolidated Changelog plug-in, you must install and deploy it as a global plug-in.

4.2.22 GenericMapper Plug-In

The GenericMapper plug-in provides functionality that is equivalent to the following Oracle Virtual Directory plug-ins, but with more flexible functionality: ■ VirtualAttribute plug-in ■ ObjectClass Mapper plug-in ■ DynamicTree plug-in This plug-in is based on the Directory Integration Platform’s mapping rules file format described in the Oracle® Fusion Middleware Administrators Guide for Oracle Directory Integration Platform. The GenericMapper plug-in handles mapping based on the entry’s objectclass. All attributes from the user are copied, as is, to the back-end directory and vice versa. This plug-in uses the following keywords in addition to the keywords provided in the Directory Integration Platform documentation: ATTRIBUTEEXCLUSIONLIST List of attributes that are to be excluded from the result to the end user. This is applicable for UserBound operations searchread VIRTUALATTRIBUTELIST List of attributes that are not to be included when the operations are done on the back end. This is applicable for UserBound operations searchread FILTERRULES The filtered entries on which the mapping rules are to be applied. Note: This plug-in is designed to only be used with Oracle Identity Manager version 11g.