B.3 Engine Control Values

The engine control values are a way that certain default behaviors of the Identity Manager engine can be changed. The values can be accessed only if a server is associated with the Driver Set object.

Option

Description

Subscriber channel retry interval in seconds

The Subscriber channel retry interval controls how frequently the Identity Manager engine retries the processing of a cached transaction after the application shim's Subscriber object returns a retry status.

Qualified form for DN-syntax attribute values

The qualified specification for DN-syntax attribute values controls whether values for DN-syntax attribute values are presented in unqualified slash form or qualified slash form. A True setting means the values are presented in qualified form.

Qualified form from rename events

The qualified form for rename events controls whether the new-name portion of rename events coming from the Identity Vault are presented to the Subscriber channel with type qualifiers. For example, CN=. A True setting means the names are presented in qualified form.

Maximum eDirectory replication wait time in seconds

This setting controls the maximum time that the Identity Manager engine waits for a particular change to replicate between the local replica and a remote replica. This affects only operations where the Identity Manager engine is required to contact a remote eDirectory server in the same tree to perform an operation and might need to wait until some change has replicated to or from the remote server before the operation can be completed (for example, object moves when the Identity Manager server does not hold the master replica of the moved object; file system rights operations for Users created from a template.)

Use non-compliant backwards-compatible mode for XSLT

This control sets the XSLT processor used by the Identity Manager engine to a backwards-compatible mode. The backward-compatible mode causes the XSLT processor to use one or more behaviors that are not XPath 1.0 and XSLT 1.0 standards-compliant. This is done for backward compatibility with existing DirXML style sheets that depend on the non-standard behaviors.

For example, the behavior of the XPath “!=” operator when one operand is a node-set and the other operand is other than a node-set is incorrect in DirXML releases up to and including Identity Manager 2.0. This behavior has been corrected; however, the corrected behavior is disabled by default through this control in favor of backward compatibility with existing DirXML style sheets.

Maximum application objects to migrate at once

This control is used to limit the number of application objects that the Identity Manager engine requests from an application during a single query that is performed as part of a Migrate Objects from Application operation.

If java.lang.OutOfMemoryError errors are encountered during a Migrate from Application operation, this number should be set lower than the default. The default is 50.

NOTE:This control does not limit the number of application objects that can be migrated; it merely limits the batch size.

Set creatorsName on objects created in Identity Vault

This control is used by the Identity Manager engine to determine if the creatorsName attribute should be set to the DN of this driver on all objects created in the Identity Vault by this driver.

Setting the creatorsName attribute allows for easily identifying objects created by this driver, but also carries a performance penalty. If not set, the creatorsName attribute defaults to the DN of the NCP Server object that is hosting the driver.

Write pending associations

This control determines whether the Identity Manager engine writes a pending association on an object during Subscriber channel processing.

Writing a pending association confers little or no benefit but does incur a performance penalty. Nevertheless, the option exists to turn it on for backward compatibility.

Use password event values

This control determines the source of the value reported for the nspmDistributionPassword attribute for Subscriber channel Add and Modify events.

Setting the control to False means that the current value of the nspmDistributionPassword is obtained and reported as the value of the attribute event. This means that only the current password value is available. This is the default behavior.

Setting the control to True means that the value recorded with the eDirectory event is decrypted and is reported as the value of the attribute event. This means that both the old password value (if it exists) and the replacement password value at the time of the event are available. This is useful for synchronizing passwords to certain applications that require the old password to enable setting a new password.

Retry Out of Band events

This control determines whether the out-of-band sync events should be retried or not if the retry status for the out-of-band sync event is received.

If the control is set to False, the out-of-band sync is not retried. If it is set to true, the out-of-band sync is retried till its successful.

Use Rhino ECMAScript engine

Determines whether the Identity Manager engine uses the Rhino ECMAScript engine. The engine uses Rhino as the default ECMAScript engine.

This control is true by default, if you set this control to false engine uses Nashorm script.

Enable Subscriber Service Channel

Determines whether the Identity Manager engine processes the out of band queries on the Subscriber Service channel of the driver. Some common examples of these queries are code map refresh, data collection, and queries triggered from dxcmd.

When this control is set to true, the channel separately processes these queries without interrupting the normal processing of events.

Currently, this control is only available for use with the JDBC Fan-Out driver (enabled by default).

Enable password synchronization status reporting

This control determines whether the Identity Manager engine reports the status of Subscriber channel password change events.

Reporting the status of Subscriber channel password change events allows applications such as the Identity Manager User Application to monitor the synchronization progress of a password change that should be synchronized to the connected application.

Combine values from template object with those from add operation

This value determines whether the Identity Manager engine combines like values from a creation template and an add operation when performing the add operation. Setting the value to True causes the template's multi-valued attribute values to be used in addition to the values for the same attribute that are specified in the add operation. Setting the value to False causes the values from the template to be ignored if there are values for the same attribute specified in the Add operation.

Allow event loopback from publisher to subscriber channel

This value determines whether the Identity Manager engine allows an event to loop from the driver’s Publisher channel to the Subscriber channel. Setting the value to False causes the Identity Manager engine to not allow events to loop back. Setting the value to True causes the Identity Manager engine to allow events to loop from the Publisher channel to the Subscriber channel.

Revert to calculated membership value behavior

This value determines the method used by the Identity Manager engine when performing read and search actions related to group membership.

Setting this value to False (the default setting) causes the Identity Manager engine, when reading or searching the Member and Group Member attributes of Identity Vault objects, to return only those values that are “static” values. Static values are objects that received group membership by direct assignment to the group rather than inherited assignment through a nested group.

Setting this value to True causes the Identity Manager engine to revert to the method used prior to Identity Manager 3.6. In pre-3.6 versions, the Identity Manager engine's search of the Member and Group Member attributes retrieved all “calculated” values. Calculated values include objects that are either 1) statically assigned membership or 2) dynamically assigned membership by virtue of the nested group hierarchy calculations used by eDirectory. A search of a group's Members attribute returns any objects that were directly assigned to the group or that were assigned membership through a nested group.

Maximum time to wait for driver shutdown in seconds

This setting controls the maximum time that the Identity Manager engine waits for the driver’s Publisher channel to shut down. If the driver does not shut down within the specified time interval, the Identity Manager engine terminates the driver.

Regular Expression escape meta-characters

This control determines the meta-characters that will be escaped while expanding the local variable when used in a regular expression context. All characters that need to be escaped must be added as a comma separated list for this control value.

If a meta-character is not present in the control value, then it will not be escaped during local variable expansion containing a regular expression.

While using this control, ensure the following:

  • The value is not left empty. By default, it is populated with $. This character is required for local variable expansion.

  • The value should be a valid comma(,) separated list, otherwise you will encounter errors during policy evaluation.

  • To escape all meta-characters, specify "\,$,^,.,?,*,+,[,],(,),|" as a value.

  • If a meta-character need not be escaped, remove that character from the value.

  • To escape any meta character, specify the meta character followed by a back slash (\).

Ignore Entitlement Changes of other drivers

This control determines whether the Identity Manager engine ignores or processes entitlement changes of other drivers. The default value is True. This means that the driver automatically ignores the entitlement changes of other drivers. If this control is set to False, the entitlement changes of other drivers are cached and processed by this driver.

Allow Entitlement event loopback from cprs to subscriber channel

This control determines whether the Identity Manager engine allows an entitlement event that is generated by a CPRS assignment to loopback to the Subscriber channel of the driver. The default value is False. This means that the event is not looped back to the Subscriber channel. If this control is set to True, the event flows to the Subscriber channel of the driver.