| LDAP Sync | ||
|---|---|---|
| Previous | Next | |
| LDAP Profiles | Language | |
Many organizations have established a central repository (a directory service) for user and group information, making it possible to edit that information independently from all the different systems that need it. However, iKnowBase needs a local copy of that information in order to support security and context operations.
Use the LDAP Sync profile to set up a replication link, which enables information to automatically flow into iKnowBase when it is changed in the source user directory.
iKnowBase comes with a PL/SQL procedure, oid_sync.synchronize_users, which you can run to perform the synchronization based on the configured LDAP Synchronizing profiles. Typically you will create a Schedule which executes the synchronization job at given times and at given intervals. Every time the synchronization job runs, it will read the LDAP change log to understand what kind of changes have happened in the source user directory. The change log will contain entries indicating that users, groups or group memberships have changed. The synchronization job will copy these changes into the corresponding iKnowBase objects as specified in the LDAP Synchronizing profiles.
See the Development Guide for further information.
This section describes the properties of an LDAP Sync profile, as shown on the corresponding Edit pane tabs.
The configuration tab contains general information on the LDAP Sync profile.
| Property | Description |
|---|---|
| Subsystem |
Select the subsystem the profile belongs to |
| Profile name |
Type the name of the profile |
| External key |
Type the external key of the profile. This can be used as the id when you start the synchronization |
| LDAP-profile |
Select the LDAP-profile which manages access to the LDAP-server to use. To the right, the connection status will be shown. It the profile is a valid one, the message "The ldap-profile is valid" |
| Sync. all groups |
Select this check box to map synchronize all groups automatically. |
| Purge log entries older than xx days |
Enter the number of days you want to keep log entries for. Use 0 if you not want an automatic purge of old log entries. |
| Language |
Specify the language that will be set on the user when its created. |
| Current Changelog Number and timestamp |
This is the last known change number from the LDAP server. All updates will start after this change number.
If required, you can type a change number yourself, to redo changes or to skip corrupt entries. Mandatory values for creation of person or organization card |
| Top dimension (Person) |
Select the top dimension for user dimensions. Dimensions with an external key are available in the drop down box.
|
| Top dimension (Organization) |
Select the top dimension for organization dimensions. Dimensions with an external key are available in the drop down box. You can configure the user synchronization to create organization information based on information in user objects.
|
| Dimension Type (Person) |
Click the appropriate dimension type. In iKnowBase, a dimension can be associated with a dimension type. This type segments the dimensions in iKnowBase.
|
| Dimension Type (Organization) |
Click the appropriate dimension type. In iKnowBase, a dimension can be associated with a dimension type. This type segments the dimensions in iKnowBase.
|
| Default access group |
Select the access control list to be used for the person and organization cards that are created when synchronizing user objects. |
| Default ikb group |
Select the group to be used as the default group for synchronized users. When a user is created in iKnowBase, it is provided with a default group.
The default value is IKB_XNET_USERS. |
| Information type (Person Card) |
Select the information type to be used for person cards. When a user is synchronized, iKnowBase creates a person card for this user that has some standard attributes. This person card is a placeholder for the attributes and dimensions that a developer chooses to transfer from the external user directory to iKnowBase. The value of this property is the information type that will be used for these is the external key of this document type. |
| Information type (Organization Card) |
Click the appropriate information type. You can create an organization card that is a placeholder for the information that the developer chooses to synchronize from the remote user directory as organizational information.
|
| Run bootstrap |
By running a bootstrap, all users in the LDAP that correspond to the profile will be synchronized to iKnowBase.The job will be runned as a background job. Be aware it will take some time and it should only be used when you want all users synchronized to iKnowBase. Normally, the changelog synchronization is a preferred way of getting data into iKnowBase. This function is only available if the LDAP profile is valid. |
| Run changelog synchronization |
By running a changelog synchronize, all changes since last time the synchronization was runned will be synchronized to iKnowBase. In production, this will normally be runned as a scheduled job.
|
| Run single instance |
By running a single instance, only the entered user will be synchronized, You need to enter a valid DN-string. This function is only available if the LDAP profile is valid. |
The attributes tab contains information about the user and group attribute mappings from the LDAP directory to iKnowBase.
Figure 13: LDAP Sync Edit pane – attributes
| Property | Description |
|---|---|
| SYNC_USER_USERNAME |
The name of the LDAP-attribute that identifies the username (login name). |
| SYNC_USER_EMAIL |
The name of the LDAP-attribute that identifies the user�s e-mail address. |
| SYNC_USER_TITLE |
The name of the LDAP-attribute that identifies the user�s display name. |
| Create portal group |
Check this flag if you want the LDAP Sync engine to create Oracle Portal groups corresponding to the synchronized organizations. |
| Create org.card |
Check this flag if you want the LDAP Sync engine to create organization cards and dimensions corresponding to the organization information on the user object in LDAP. |
| SYNC_ORG_EXTERNAL_KEY |
The name of the LDAP-attribute that will be the external key of the organization card. Required when creating organization cards. |
| SYNC_ORG_NAME |
The name of the LDAP-attribute that identifies the name of the organization. |
| SYNC_ORG_CODE |
The name of the LDAP-attribute that identifies the code of the organization. |
| Custom pre- and post procedures | |
| Function that runs pre-usersynchronization |
Type the name of the function that should be called before the synchronization takes place in iKnowBase. |
| Function that runs post-usersynchronization |
Type the name of the function that should be called after the synchronization has taken place in iKnowBase, ie after the users, dimensions, organization and person cards has been created. |
| LDAP attribute |
Type the name of the LDAP attribute of the LDAP object (user or group) to be synchronized from the LDAP to iKnowBase. |
| IKB attribute |
Select the iKnowBase attribute for the target information object. The select list will only be populated by iKnowBase attributes tagged with an external key. The iKnowBase attribute selected will be the attribute that the LDAP value is synchronized to. |
| IKB attribute type |
Select the type of the target attribute to create during synchronization. There are four available choices:
For all these types, except dimension, the LDAP Sync engine will assign the value from the LDAP attribute to the iKnowBase attribute. If you select the dimension type, the value of the LDAP attribute will be treated as an external key for a dimension, and the corresponding dimension will be assigned to the iKnowBase attribute. |
| Type |
Select the appropriate object type of this entry. Select Person if the attribute should be synchronized to the person card. Select Organization if the attribute should be synchronized to the organization card. |
The groups tab contains information on the mapping between groups in the LDAP server and in iKnowBase.
If the property “Sync all groups” is set, this tab is a pure information tab, displaying the information on the actual mapping.
Otherwise, if the property “sync all groups” is not set, this page lets you specify which groups you want to synchronize, and which iKnowBase-group you want to map to. Note: that when you use manual mapping, you need to create the iKnowBase groups before you can map to them.
| Property | Description |
|---|---|
| LDAP group |
Select the LDAP group to be synchronized from the LDAP to iKnowBase. Existing groups in the LDAP specified by the Select LDAP-profile property on the Configuration tab are available in the dropdown boxes. |
| IKB group |
Select the iKnowBase group which the given LDAP group will be synchronized to. |
The tab contains a detailed log generated for each run of the synchronization.
When the synchronization is runned it will log info available here. You can choose between a detailed log or a overview of operation runned during synchronization.
| Property | Description |
|---|---|
| Timestamp |
Displays when the log info was created |
| ID |
Displays the id in the log table |
| Message type |
Displays the severity of the message. INFO, DEBUG and ERROR are the valid values. |
| Key |
Displays normally the key (DN) handled in the operation |
| Message |
Displays a status/error message for each line |
| Trace info |
Displays trace info (only available when running i debug mode) |
| Previous | Top | Next |
| LDAP Profiles | Language |