Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
By default, a connector retrieves changes to all objects in the container configured for synchronization.However, you may be interested in synchronizing only certain types of changes, such as changes to just users and groups. While mapping rules allow you to specify how entries are converted from one directory to another, you can also filter objects that are synchronized between directories. Before changes from a connected directory are imported into Oracle Internet Directory, they can be filtered with the Connected Directory Matching Filter (orclODIPConDirMatchingFilter
) attribute in the synchronization profile. Similarly, before changes are exported from Oracle Internet Directory to a connected directory, they can be filtered with the OID Matching Filter (orclODIPOIDMatchingFilter
) attribute. For both attributes, you can specify a filter for connected directories that either obtain incremental changes through an LDAP search or that store changes in a change log, as described in the following sections:
You can use either the Oracle Directory Integration and Provisioning Server Administration tool or Directory Integration and Provisioning Assistant to update the matching filters.
For connected directories that obtain incremental changes through an LDAP search, such as Active Directory, use the following syntax to assign a value to the searchfilter
attribute of either the Connected Directory Matching Filter (orclODIPConDirMatchingFilter
) or the OID Matching Filter (orclODIPOIDMatchingFilter
):
"searchfilter=LDAP_SEARCH_FILTER"
The following example creates an LDAP search filter that retrieves organizational units, groups, and users, but not computers:
"searchfilter=(|(objectclass=group)(objectclass=organizationalUnit) (&(objectclass=user)(!(objectclass=computer))))"
For connected directories that store changes in a change log, you can use just the following simple operators, which are provided by Oracle Directory Integration and Provisioning, to specify a matching filter for either the Connected Directory Matching Filter (orclODIPConDirMatchingFilter
) or the OID Matching Filter (orclODIPOIDMatchingFilter
):
= (equal operator)
!= (not equal operator)
Note: Connected directories that obtain incremental changes through an LDAP search can also use the preceding operators without thesearchfilter attribute. However, you can only specify a single expression or the search will fail.
|
You can use the preceding operators with either LDAP or non-LDAP directories, provided they obtain incremental changes from a change log. Wildcards and pattern matching are not supported with the preceding operators if you do not use the searchfilter
attribute. However, when multiple operator pairs are including in the filter, the expression is evaluated as a logical AND operation. For example, the following expression includes four operator pairs:
"(objectclass=group)(objectclass=organizationalUnit) (objectclass=user)(objectclass!=computer)"
The preceding expression evaluates as follows:
objectclass is equal to group AND objectclass is equal to organizationalUnit AND objectclass is equal to user AND objectclass is NOT equal to computer
For connected directories that store changes in a change log, a matching filter can synchronize changes for only the attributes that appear in the change log. If you include attributes in a matching filter that do not appear in the change log, the search operation will fail. For this reason, matching filters are of limited use for connected directories that store incremental changes in a change log.