8 Configuring LDAP Container Rules

Oracle Identity Manager can be installed with LDAP synchronization enabled. When LDAP synchronization is enabled, and a user is to be created, then a plug-in determines in which container the user is to be created. Similarly, if a role is to be created, then this plug-in determines the container in which the role is to be created. For this, Oracle Identity Manager calls a plug-in that implements the oracle.iam.ldapsync.LDAPContainerMapper interface. All the attributes of the user/role are passed to the plug-in, and it returns the Domain Name (DN) of the LDAP container. You can write your own plug-in, register the plug-in to Oracle Identity Manager, and then configure Oracle Identity Manager to use the plug-in by setting the LDAPContainerMapperPlugin system property. See "System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for information about this system property.

See Also:

"Integration Between LDAP Identity Store and Oracle Identity Manager" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for information about LDAP synchronization

Oracle Identity Manager provides a default plug-in for determining the LDAP container for user/role based on user or role attributes that are synchronized to LDAP. The default plug-in reads the rules from a XML file to determine the LDAP container. The XML file must deployed to MDS as /db/LDAPContainerRules.xml. When Oracle Identity Manager is installed with LDAP synchronization enabled, the installer asks for user and role container values. These values are stored in the /db/LDAPContainerRules.xml file at containers for which the expression is Default. The following is an example:

<container-rules>
  <user>
    <rule>
      <expression>Country=US, Locality Name=AMER</expression>
      <container>l=amer,dc=oracle,dc=com</container>
    </rule>
    <rule>
      <expression >Country=IN, Locality Name=APAC</expression>
      <container>l=apac,dc=oracle,dc=com</container>
    </rule>
    <rule>
      <expression>Default</expression>
      <container>l=users,dc=oracle,dc=com</container>
    </rule>
  </user>
  <role>
    <rule>
      <expression>Region=AMER</expression>
      <container>l=amer,ou=role,dc=oracle,dc=com</container>
    </rule>
    <rule>
      <expression >Region=APAC</expression >
      <container>l=apac,ou=role,dc=oracle,dc=com</container>
    </rule>
    <rule>
      <expression>Default</expression>
      <container>l=roles,dc=oracle,dc=com</container>
    </rule>
  </role>
</container-rules>

The <expression> tag must be defined based on user/role attributes. Only the equal to (=) operator is supported in the <expression> tag. The expression can be based on multiple attributes, as shown in the example, and the LDAP container is determined based on an AND operation of all the defined attributes. If none of the rules satisfy, then the users or roles are put in the container for which expression is Default.

Suppose a user is to be created with the attributes Country=US and Locality Name=AMER. This user would be created in the container l=amer,dc=oracle,dc=com. If a user is to be created in Country=France and Locality Name=FR, then it would be created in the container l=users,dc=oracle,dc=com because no expression matches these two attributes, and therefore, the default container is selected.