6.2 Defining Schema Mapping

Different LDAP servers have different schemas. When the driver is first started, it queries the server for the specific schema.

You must be familiar with the characteristics of directory attributes and the LDAP server attributes. The driver handles all LDAP attribute types (cis, ces, tel, dn, int, bin).  It also handles the eDirectory Facsimile Telephone Number.

When you map attributes, follow these guidelines:

  • Verify that every class and attribute specified in the Subscriber and Publisher policies is mapped in the Mapping policy unless the class or attribute names are the same in both directories.

  • Before mapping a directory attribute to an LDAP server attribute, verify that an LDAP server attribute actually exists. For example, the Full Name attribute is defined for a User object on an Identity Vault, but fullname doesn’t exist in an inetOrgPerson object on Netscape.

  • Always map attributes to attributes of the same type. For example, map strings attributes to strings attributes, octet attributes to binary attributes, or telenumber attributes to telenumber attributes.

  • Map multivalue attributes to multivalue attributes.

The driver doesn’t provide data conversion between different attribute types or conversions from multivalue to single-value attributes. The driver also doesn’t understand structured attributes except for Facsimile Telephone Number and Postal Address.

Identity Manager is flexible about the syntax that it accepts from the Publisher:

  • Accepting Non-Structured/Non-Octet Syntax: Identity Manager accepts any non-structured/non-octet syntax for any other non-structured/non-octet syntax as long as the actual data can be coerced to the appropriate type. That is, if the Identity Vault is looking for a numeric value, the actual data should be a number.

  • Coercing the Data to Octet: When Identity Manager is expecting octet data and gets another non-octet/non-structured type, Identity Manager coerces the data to octet by serializing the string value to UTF-8.

  • Coercing the Data to a String: When Identity Manager is passed octet data and another non-structured type is expected, Identity Manager coerces the data to a string by decoding the Base64 data. Identity Manager next tries to interpret the result as a UTF-8 encoded string (or the platform’s default character encoding if it is not a valid UTF-8 string) and then applies the same rules as Accepting Non-Structured/Non-Octet Syntax.

  • FaxNumber: For faxNumber, if a non-structured type is passed in, Accepting Non-Structured/Non-Octet Syntax and Coercing the Data to a String are applied to the data to get the phone number portion of the fax number. The other fields are defaulted.

  • State: State. For state, False, No, F, N (in either uppercase or lowercase), 0 and “ ” (empty string) are interpreted as False, and any other value is interpreted as True.

The following steps provide instructions for modifying the Schema Mapping Policy in iManager. For information about using Designer, see Defining Schema Map Policies in the NetIQ Identity Manager - Using Designer to Create Policies guide.

  1. In iManager, open the LDAP driver Overview page:

    1. Click Driver icon to display the Identity Manager Administration page.

    2. In the Administration list, click Identity Manager Overview.

    3. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    4. Click the driver set to open the Driver Set Overview page.

    5. Click the LDAP driver icon to display its Overview page.

  2. Click the schema mapping icon on the Publisher or Subscriber channel.

  3. Click the policy to display the editing page.

  4. Edit the policy as appropriate for your setup.