Configuring Directory Synchronization 6-5 Example 6–1 Example of Distinguished Name Mapping Distinguished Name Rules USERBASE INSOURCE:USERBASE ATDEST: USERBASE refers to the container from which the third-party directory users and groups must be mapped. Usually, this is the users container under the root of the third-party directory domain. Example 6–2 Example of One-to-One Distinguished Name Mapping For one-to-one mapping to occur, the DN in the third-party directory must match that in Oracle Internet Directory. In this example, the DN in the third-party directory matches the DN in Oracle Internet Directory. More specifically: ■ The third-party directory host is in the domain us.mycompany.com, and, accordingly, the root of the third-party directory domain is us.mycompany.com. A user container under the domain would have a DN value cn=users,dc=us,dc=mycompany,dc=com. ■ Oracle Internet Directory has a default realm value of dc=us,dc=mycompany,dc=com. This default realm automatically contains a users container with a DN value cn=users,dc=us,dc=mycompany,dc=com. Because the DN in the third-party directory matches the DN in Oracle Internet Directory, one-to-one distinguished name mapping between the directories can occur. If you plan to synchronize only the cn=users container under dc=us,dc=mycompany,dc=com, then the domain mapping rule is: Distinguished Name Rules cn=users,dc=us,dc=mycompany,dc=com:cn=users,dc=us,dc=mycompany,dc=com This rule synchronizes every entry under cn=users,dc=us,dc=mycompany,dc=com. However, the type of object synchronized under this container is determined by the attribute-level mapping rules that follow the DN Mapping rules. If you plan to synchronize the entry cn=groups,dc=us,dc=mycompany,dc=com under cn=users,dc=us,dc=mycompany,dc=com then the domain mapping rule is as follows: DomainMappingRule This rule is used to construct the destination DN from the source domain name, from the attribute given in AttributeRules, or both. This field is typically in the form of cn=,l=,o=oracle,dc=com. These specifications are used to put entries under different domains or containers in the directory. In the case of non-LDAP sources, this rule specifies how to form the target DN so it can add entries to the directory. This field is meaningful only when importing to Oracle Internet Directory, or when exporting to an LDIF file or another external LDAP-compliant directory. Specify this component if any part of an entrys DN in the destination directory is different from that in the source directory entry. This component is optional for LDAP-to-LDIF, LDAP-to-LDAP, or LDIF-to-LDAP synchronizations. If it is not specified, then the source domain and destination domain names are considered to be the same. Table 6–2 Cont. Domain Rule Components Component Name Description 6-6 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform cn=groups,dc=us,dc=mycompany,dc=com:cn=groups,cn=users,dc=us,dc=mycompany,dc=com

6.4.1.1 Excluding Domains

You can insert the DomainExclusionList header in map files and identify domains to be excluded during bootstrap and synchronization. Domains listed in the DomainExclusionList will be excluded during bootstrap and synchronization. The following is an example of the DomainExclusionList header with example domains to exclude: DomainExclusionList OU=myou,OU=test,DC=mycompany,DC=com OU=mynewou,OU=test,DC=mycompany,DC=com Example 6–3, Example Map File Using DomainExclusionList and AttributeExclusionList Headers shows an example map file that includes the DomainExclusionList header. In this example, the entries under RDN OU=myou, OU=rfi6894748, DC=imtest, DC=com and OU=mynewou, OU=rfi6894748, DC=imtest, DC=com will be excluded.

6.4.2 Attribute-Level Mapping

The attribute rule specifications appear after a line containing only the keyword AttributeRules. Attribute rules specify how property values for an entry are related between two LDAP directories. For example, the cn attribute of a user object in one directory can be mapped to the givenname object in another directory. Similarly, the cn attribute of a group object in one directory can be mapped to the displayname attribute in another directory. Each attribute rule is represented with the components, separated by colons, and are described in Table 6–3 . The attribute rule specifications end with a line three number signs . Note: The distinguished names DNs listed in the domainexclusionlist identify the DNs of the containers in the source directory. Table 6–3 Components in Attribute Rules Component Name Description SrcAttrName For LDAP-compliant directory repositories, this parameter refers to the name of the attribute to be translated. For Oracle Database repositories, it refers to the ColumnName in the table specified by the SrcClassName. For other repositories this parameter can be appropriately interpreted. ReqAttrSeq Indicator of whether the source attribute must be passed to the destination. When entries are synchronized between Oracle Internet Directory and the connected directory, some attributes need to be used as synchronization keys. This field indicates whether the specified attribute is being used as a key. If so, regardless of whether the attribute has changed or not, the value of the attribute is extracted from the source. A nonzero integer value should be placed in this field if the attribute needs to be always passed on to the other end.