Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
B14085-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

6.6 Applying Matching Filters

By default, a connector retrieves changes to all objects in the container configured for synchronization.However, you may be interested in synchronizing only certain types of changes, such as changes to just users and groups. While mapping rules allow you to specify how entries are converted from one directory to another, you can also filter objects that are synchronized between directories. Before changes from a connected directory are imported into Oracle Internet Directory, they can be filtered with the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) attribute in the synchronization profile. Similarly, before changes are exported from Oracle Internet Directory to a connected directory, they can be filtered with the OID Matching Filter (orclODIPOIDMatchingFilter) attribute. For both attributes, you can specify a filter for connected directories that either obtain incremental changes through an LDAP search or that store changes in a change log, as described in the following sections:

You can use either the Oracle Directory Integration and Provisioning Server Administration tool or Directory Integration and Provisioning Assistant to update the matching filters.

6.6.1 Filtering Changes with an LDAP Search

For connected directories that obtain incremental changes through an LDAP search, such as Active Directory, use the following syntax to assign a value to the searchfilter attribute of either the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) or the OID Matching Filter (orclODIPOIDMatchingFilter):

"searchfilter=LDAP_SEARCH_FILTER"
 

The following example creates an LDAP search filter that retrieves organizational units, groups, and users, but not computers:

"searchfilter=(|(objectclass=group)(objectclass=organizationalUnit)
(&(objectclass=user)(!(objectclass=computer))))"

6.6.2 Filtering Changes from a Change Log

For connected directories that store changes in a change log, you can use just the following simple operators, which are provided by Oracle Directory Integration and Provisioning, to specify a matching filter for either the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) or the OID Matching Filter (orclODIPOIDMatchingFilter):

  • = (equal operator)

  • != (not equal operator)


Note:

Connected directories that obtain incremental changes through an LDAP search can also use the preceding operators without the searchfilter attribute. However, you can only specify a single expression or the search will fail.

You can use the preceding operators with either LDAP or non-LDAP directories, provided they obtain incremental changes from a change log. Wildcards and pattern matching are not supported with the preceding operators if you do not use the searchfilter attribute. However, when multiple operator pairs are including in the filter, the expression is evaluated as a logical AND operation. For example, the following expression includes four operator pairs:

"(objectclass=group)(objectclass=organizationalUnit)
(objectclass=user)(objectclass!=computer)"
 

The preceding expression evaluates as follows:

objectclass is equal to group
AND objectclass is equal to organizationalUnit
AND objectclass is equal to user
AND objectclass is NOT equal to computer
 

For connected directories that store changes in a change log, a matching filter can synchronize changes for only the attributes that appear in the change log. If you include attributes in a matching filter that do not appear in the change log, the search operation will fail. For this reason, matching filters are of limited use for connected directories that store incremental changes in a change log.