22-4 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform searchfilter=modifiersname=connected_dir_account |objectclass=domainobjectclass=organizationalunit objectclass=organizationobjectclass=person objectclass=groupofnames You use the update operation of the manageSyncProfiles command to update the searchfilter attribute if you want to synchronize entries other than users or groups. For example, the following command updates the searchfilter attribute to synchronize only users and groups: manageSyncProfiles -operation update -profile profile_name odip.profile.condirfilter searchfilter= |objectclass=groupofnamesobjectclass=person

22.3.4 Step 4: Customizing the ACLs

Customize ACLs as described in Customizing Access Control Lists on page 17-8.

22.3.5 Step 5: Customizing Attribute Mappings

When integrating with Novell eDirectory, the following attribute-level mapping is mandatory for all objects: GUID:1: : :orclNDSObjectGUID: :orclndsObject:bin2b64guid Modifytimestamp:1 : : :orclsourcemodifytimestamp: :orclndsobject: Createtimestamp:1 : : :orclsourcecreatetimestamp: :orclndsobject: Targetdn:1: : :orclsourceobjectdn: : orclndsobject: When integrating with OpenLDAP, the following attribute-level mapping is mandatory for all objects: entryuuid:1: : : orclOpenLdapEntryUUID: : orclOpenLdapObject Modifytimestamp:1 : : :orclsourcemodifytimestamp: : orclOpenLdapObject Createtimestamp:1 : : :orclsourcecreatetimestamp: : orclOpenLdapObject Targetdn:1: : :orclsourceobjectdn: : orclOpenLdapObject: Example 22–1 Attribute-Level Mapping for the User Object in Novell eDirectory or OpenLDAP Cn:1: : :person: cn: :person: sn:1: : :person: sn: :person: Notes: ■ All attributes specified in the searchfilter attribute should be configured as indexed attributes in Novell eDirectory or OpenLDAP. ■ Refer to Managing Synchronization Profiles Using manageSyncProfiles on page 7-15 for more information about the manageSyncProfiles command. See Also: The appendix on the LDAP filter definition in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for instructions on configuring an LDAP search filter Integrating with Novell eDirectory or OpenLDAP 22-5 Example 22–2 Attribute-Level Mapping for the Group Object in Novell eDirectory or OpenLDAP Cn:1: : :groupofname: cn:groupofuniquenames In the preceding examples, Cn and sn from Novell eDirectory or OpenLDAP are mapped to cn and sn in Oracle Internet Directory. Customize the attribute mappings by following the instructions in Customizing Mapping Rules on page 17-9.

22.3.6 Step 6: Customizing the Novell eDirectory or OpenLDAP Connector to Synchronize Deletions

Synchronizing deletions from Novell eDirectory or OpenLDAP in Oracle Internet Directory is handled with the reconciliation approach, as described in Synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory on page 16-30. Because the reconciliation process is time and CPU intensive, by default, reconciliation occurs at a 3600 second or 1 hour interval. You can modify the length of this interval according to your environment by using the manageSycnProfiles command and -params option to modify the odip.profile.reconciliationtimeinterval parameter. To avoid decreased performance on the server when synchronizing deletions from Novell eDirectory or OpenLDAP in Oracle Internet Directory, you can customize the comparison to search specific subsets of the DIT. You specify the subset search criteria as part of the map file by using the ReconciliationRules keyword. The default reconciliation rules for Novell eDirectory are as follows: inetorgperson:cn: groupofnames:cn: The default reconciliation rules for OpenLDAP are as follows: inetorgperson:cn: groupofuniquenames:cn: The preceding rules specify that the search criteria be applied in the following two steps: 1. Search for all entries in the inetorgperson object class. You can also specify different subsets within this rule according to the attribute values. 2. Search for all entries in the groupofnames object class in Novell eDirectory or in the groupofuniquenames object class in OpenLDAP. 22.3.6.1 How Do I Define a Reconciliation Rule? You define a reconciliation rule with one object class, one attribute, and any number of values. You can use any attribute that is synchronized with Oracle Internet Directory to define a reconciliation rule. However, you must observe the following two requirements: ■ The attribute of the specified object class must be defined in the mapping rules ■ The corresponding Oracle Internet Directory attribute must be indexed For example, consider the following reconciliation rule: myobjclass:myattr:val1:val2:val3 In the preceding reconciliation rule, the name of the object class is myobjclass and the name of the attribute is myattr. You can assign values of val1, val2, or val3 to 22-6 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform the myattr attribute. To use the myattr attribute, the following mapping rule must be defined: myattr: : : myobjclass:attr: :objclass: The preceding mapping rule defines the myattr attribute in the myobjclass object class, and attr is the corresponding Oracle Internet Directory attribute that should be indexed. 22.3.6.2 How are Reconciliation Rules Used to Synchronize Deletions? Defining reconciliation rules generates search filters that query Novell eDirectory or OpenLDAP to determine the number of deleted entries. For example, with the myobjclass and attr reconciliation rule example in the previous section, the following search filters are generated in Novell eDirectory or OpenLDAP: ■ objectclass= myobjclass createtimestamp=orclodipreconciliationtimestamp myattr=val1 ■ objectclass= myobjclass createtimestamp= orclodipreconciliationtimestamp myattr=val2 ■ objectclass= myobjclasscreatetimestamp= orclodipreconciliationtimestampmyattr=val3 The reconciliation rule and mapping rule also generate corresponding filters in Oracle Internet Directory. For example, the following Oracle Internet Directory filters are generated for the myobjclass and attr reconciliation rule: ■ objectclass= objclass orclndsobjectguid=orclSourceCreateTimeStamp= orclodipreconciliationtimestampattr=val1 ■ objectclass= objclass orclndsobjectguid=orclSourceCreateTimeStamp= orclodipreconciliationtimestampattr=val2 ■ objectclass= objclass orclndsobjectguid=orclSourceCreateTimeStamp= orclodipreconciliationtimestampattr=val3 22.3.7 Step 7: Specifying Synchronization Parameters for the Advanced Configuration Information Attribute The Advanced Configuration Information orclodipAgentConfigInfo attribute in a synchronization profile stores any additional configuration information needed by a connector to synchronize Oracle Internet Directory with a connected directory. You can use the SearchDeltaSize and SkipErrorToSyncNextChange parameters with any connected directory. For Novell eDirectory and OpenLDAP, you can also use the parameters listed in Table 22–1 to specify additional configuration information. Tip: Refer to the Advanced section on page 7-5 for a description of all Advanced Configuration parameters for synchronization profiles.