The ldap-to-scim JSON object

This object is an array of mappings from LDAP attributes to the operations that create the equivalent Verify-system for cross-domain identity management (SCIM) attributes.

Note: The IcbLdapSync.exe command adds a dn attribute to each entry so that the entry’s distinguished name (DN) can be used if it is required.
Each entry in the array contains the following attributes:
“new-attr”
Provides a mapping of the LDAP active directory (AD) attributes into Verify-SCIM directory attributes for a new or complete replacement object in JSON format. These attributes are added to the “scim-outline”. The token {{value}} is replaced by the LDAP AD attribute value. Currently, only the first value of a multi-value object is used, except for entries that are marked with “is-dn”:true plus “is-multi-value”: true.
“mod-attr”
Provides a mapping to add, remove, and replace a changed attribute from AD LDAP to the equivalent Verify-SCIM directory change. The token {{value}} is replaced by the LDAP AD attribute value. Only the first value of a multi-value object is used, except for entries marked with “isdn”: true plus “is-multi-value”: true.

For IBM® Security Directory Server only, Directory Sync maintains the relationship between LDAP entry and Cloud Directory entry by storing the LDAP entry's DN value in the Cloud Directory's externalId attribute. The modrdn change operation is now supported by Directory Sync for externalId. This support allows the LDAP entry to move within its directory information tree (DIT) and still maintain its relationship to the Cloud Directory entry, and any other attribute changes that result from the modrdn.

“is-dn”
When this attribute is set to true, the attribute is assumed to be a DN attribute. These attributes are mapped to their equivalent Verify-SCIM directory user and group IDs before they are used in the mapping. These mappings have three substitutions.
  • {{value}}, which is the Verify-SCIM directory user and group IDs.
  • {{jq_value}}, which is the double quoted JSON quoted version of {{value}}. For example, if {{value}} was 123”45, then the {{jq_value}} is “123\”45”.
  • {{type}}, which is either user or group.
“is-multi-value”
This attribute applies only to attributes that have “is-dn”:true. When “is-multi-value” is set to true, all the attributes values are converted and it is assumed that the destination Verify-SCIM directory attributes are also a multi-valued array. All other attributes are considered single-value. If the LDAP source attribute is multi-valued and only one of the attributes values is used, the other attributes are discarded.
“is-binary”
When this attribute is set to true, the attribute value in LDAP is assumed to be binary and is provided as a base64- encoded string when the {{value}} token is replaced.
“tweaks”
This attribute is an optional block of modifications that are done to the LDAP value before it is substituted for {{value}}. The current tweaks are:
  • “prepend”: “string” Insert string at start of {{value}}.
  • “append”: “string” Append string at end of {{value}}.
  • “to-upper”: true If true, the {{value}} is uppercase.
  • “to-lower”: true If true, the {{value}} is lowercase.
  • “base64-encode”: true If true, the {{value}} is base64-encoded.
  • “base64-decode”: true If true, the {{value}} is base64-decoded.
  • “remove-leading-zeros”:true If true, the {{value}} any leading ‘0’ characters are removed.
  • "limit-len": <number> Truncate {{value}} to at most <number> bytes.

Example

The following example appends the string “@cloudBridgeRealm” to the LDAP AD “sAMAccountName” value before it is put into the Verify “userName” attribute.

"ldap-to-scim":[
                {
                    "ldap":"sAMAccountName",
                    "tweaks":{
                        "append":"@cloudBridgeRealm"
                    },
                    "new-attr":{
                        "scim":{"userName":"{{value}}"}
                    },