The ldap-to-scim
JSON object
This object is an array of mappings from LDAP attributes to the operations that create the equivalent Verify-system for cross-domain identity management (SCIM) attributes.
dn
attribute to each entry so that the entry’s distinguished name (DN) can be used if it is required.
- “new-attr”
- Provides a mapping of the LDAP active directory (AD) attributes into Verify-SCIM directory attributes
for a new or complete replacement object in JSON format. These attributes are added to the
“scim-outline”
. The token{{value}}
is replaced by the LDAP AD attribute value. Currently, only the first value of a multi-value object is used, except for entries that are marked with “is-dn”:true
plus“is-multi-value”: true
. - “mod-attr”
- Provides a mapping to add, remove, and replace a changed attribute from AD LDAP to the
equivalent Verify-SCIM
directory change. The token
{{value}}
is replaced by the LDAP AD attribute value. Only the first value of a multi-value object is used, except for entries marked with“isdn”: true
plus“is-multi-value”: true
.For IBM® Security Directory Server only, Directory Sync maintains the relationship between LDAP entry and Cloud Directory entry by storing the LDAP entry's DN value in the Cloud Directory's
externalId
attribute. Themodrdn
change operation is now supported by Directory Sync forexternalId
. This support allows the LDAP entry to move within its directory information tree (DIT) and still maintain its relationship to the Cloud Directory entry, and any other attribute changes that result from themodrdn
. - “is-dn”
- When this attribute is set to true, the attribute is assumed to be a DN attribute. These
attributes are mapped to their equivalent Verify-SCIM directory user and
group IDs before they are used in the mapping. These mappings have three substitutions.
-
{{value}}
, which is the Verify-SCIM directory user and group IDs. {{jq_value}}
, which is the double quoted JSON quoted version of{{value}}
. For example, if{{value}}
was123”45
, then the{{jq_value}}
is“123\”45”
.{{type}}
, which is either user or group.
-
- “is-multi-value”
- This attribute applies only to attributes that have
“is-dn”:true
. When“is-multi-value”
is set to true, all the attributes values are converted and it is assumed that the destination Verify-SCIM directory attributes are also a multi-valued array. All other attributes are considered single-value. If the LDAP source attribute is multi-valued and only one of the attributes values is used, the other attributes are discarded. - “is-binary”
- When this attribute is set to true, the attribute value in LDAP is assumed to be binary and is
provided as a base64- encoded string when the
{{value}}
token is replaced. - “tweaks”
- This attribute is an optional block of modifications that are done to the LDAP value before it
is substituted for
{{value}}
. The current tweaks are:“prepend”: “string”
Insert string at start of{{value}}
.“append”: “string”
Append string at end of{{value}}
.“to-upper”: true
If true, the{{value}}
is uppercase.“to-lower”: true
If true, the{{value}}
is lowercase.“base64-encode”: true
If true, the{{value}}
is base64-encoded.“base64-decode”: true
If true, the{{value}}
is base64-decoded.“remove-leading-zeros”:true
If true, the{{value}}
any leading ‘0’ characters are removed."limit-len": <number>
Truncate {{value}} to at most <number> bytes.
Example
The following example appends the string “@cloudBridgeRealm”
to the LDAP AD
“sAMAccountName”
value before it is put into the Verify
“userName”
attribute.
"ldap-to-scim":[
{
"ldap":"sAMAccountName",
"tweaks":{
"append":"@cloudBridgeRealm"
},
"new-attr":{
"scim":{"userName":"{{value}}"}
},