Provisioning works well.
Synchronization works well.
DSEE is an LDAP server, therefore provisioning is done using normal LDAP operations.
The changes in DSEE are detected using Retro Change Log mechanism. Retro Change Log is presented as an LDAP subtree with base DN of
cn=changelog. Each change is represented as an entry in that subtree and it remains in that subtree for few days.
Identity Connector Framework (ICF) LDAP connector is recommended. The connector scans the
cn=changelog subtree for new entries in regular intervals.
The connector is using a special user for accessing DSEE, e.g.
uid=idm,ou=Administrators,dc=example,dc=com. The connector should not use the
cn=directory manager superuser. Firstly, this is a best practice. Secondly, midPoint is itself making the changes to the directory tree during provisioning. We do not want to detect these changes in LDAP (as "echoes"), as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to midPoint.
OpenICF Generic LDAP connector
Oracle DSEE Installation
This installation guide describes installation under GNU/Linux. Full installation guide is available at: http://download.oracle.com/docs/cd/E19656-01/821-1503/index.html.
Download Oracle DSEE from Oracle's website. You may need to login with your Oracle SSO credentials. The ZIP file is named similarly to "
ofm_odsee_linux_188.8.131.52.0_32_disk1_1of1.zip" or "
Unzip the downloaded file.
Go to the "
Unzip the "
sun-dsee7.zip" file to your installation directory, e.g. "
/opt". "dsee7" directory will be created.
We will skip control center installation and go to the directory server instance creation now. The instance data will be stored in
/opt/dsee7/dsInst and will be listening on
ports 1389 (LDAP) and 1636 (LDAPS).
Starting/Stopping DSEE Instance
dsadm command to start/stop your instance:
Setting Up Directory Content
The directory server needs to be populated with data (at least basic tree structure) and a midPoint administrative user has to be created. The user is assumed to be
uid=idm,ou=Administrators,dc=example,dc=com in following examples.
First, a new empty directory suffix (database) must be created:
You can import the base LDAP structure with the user described above (with corresponding ACI) by importing any
*.ldif file from
samples/dsee directory, e.g.:
Enabling Retro ChangeLog
To enable external access to Changelog data, Retro Changelog must be enabled:
Restart the directory server instance:
Your Changelog data should now become visible as
More information about Changelog can be found in Oracle's DSEE7 Administration Guide.
Access Control Setup
The IDM administration account needs access right to the
Create a LDIF file with the following contents:
Connector Configuration Example
Check Retro Changelog State
Check External Changelog Availability
Set Maximum Age For Changelog Entries
where duration can be either undefined (no age limit) or one of the following:
- s for seconds
- m for minutes
- h for hours
- d for days
- w for weeks