You can use an LDAP single object as a source in a synchronization task, mapping task, or a mapping.
When you configure the advanced source properties, you configure properties specific to LDAP. You can filter data, capture change data on LDAP directory server, and query LDAP entries.
Use the object class or the distinguished name to fetch metadata
When you create an LDAP data object, you can specify the object class or the distinguished name (DN) to import metadata from an LDAP directory server. The Secure Agent searches object classes from the specified location in the LDAP directory and imports the metadata.
You can navigate through the displayed object classes and select a specific object class. You can also type the name of the object class in the filter field and fetch the attributes for that object class. The object class inherits all the attributes of the superclasses.
You can specify the full name of the object class or you can use wildcards in a name filter. For example, you can specify organization unit to filter entries with the specified object class. To retrieve all object classes, use a wildcard o* that filters all object classes.
You can also use the DN to import the object class. The imported object class is of deduced type, which contains a union of all the structural, auxiliary, and abstract object classes available in that directory hierarchy. When you type the DN, the search fetches the deduced object class.
For example, specify the following DN for the entry: CN=Alpha,OU=DevTestWrite,DC=ADPQATEST,DC=COM
The top, person, organizationalPerson, and user object classes form the deduced object class.
Using the filter expression to query LDAP entries
You can configure a filter condition in a synchronization task, mapping task, or a mapping to query the LDAP entries from an LDAP directory server. You can create basic or advanced data filters for the LDAP source types.
When you create a basic filter, specify the object on which to create the data filter, and then enter the filter condition based on the field, operator, and field value.
When you create an advanced filter, use the LDAP query format to enter the filter expression. For example, specify the expression (&(!(maxStorage=0))(maxStorage=*)) to fetch all user entires with maximum storage value and with the condition that the value must not be equal to 0.
LDAP Connector supports the following operators:
•Equals
•Not Equals
•Less Than or Equals
•Greater Than or Equals
•AND
•OR
Note: You cannot configure the OR operator using basic filter.
Specify the search scope
You can specify the scope of a search as one-level or subtree.
You can specify the following search scope to search for entries from the LDAP directory server:
One-level
When you specify one-level, the search is restricted to the immediate children of a base object, but excludes the base object. You can use one-level to perform a search for immediate child objects of a parent object.
For example, consider a parent object P1 and its immediate children C1, C2, and C3. When you specify one-level, the search evaluates C1, C2, and C3 against the search criteria, but does not evaluate P1. Use a one-level search to include all children of an object.
Subtree
A subtree search returns all child objects that are subordinate to the base object including the base object.
Capturing changed data in active directory
The can capture changed records from an LDAP source object. Change data capture (CDC) helps you identify and process the changed data. You can configure CDC in the source advance properties to capture changes while reading data from Active Directory for a specified time interval or from the last extraction point.
Active Directory uses the uSNChanged attribute to store the entry and the details of the changes made to the entry. You can track the changes made to the contents of a directory based on the update sequence number (USN) assigned by the local server after the last change to the object.
The determines the change type based on the values for uSNCreated, uSNChanged, isDeleted, whenCreated, and whenChanged attributes of an entry. Every entry in Active Directory contains the uSNCreated, uSNChanged, whenCreated, and whenChanged values. For an updated entry, the uSNChanged value increments to indicate the updated entry in the directory server. For a deleted entry, the isDeleted value sets to True to indicate the deleted entry from the directory server.
When you configure CDC, the captures the changes that are present under the specified base DN and extracts the changed data. The stores the change number for the last read entry in the CDC file.
Note: You can apply a filter query to capture changed data for inserted or updated records fetched from LDAP directory server. You cannot use the query to capture changes for deleted records because the fetches only the RDN and the parent DN records for the deleted records.
Configuring changed data capture from the last extraction point
To fetch changes from the last extraction point, enable CDC and set the absolute path of the file that stores the change number for the last read changed entry.
By default, the fetches the changed data based on the last read uSNChanged value:
•If the CDC file does not exist, or if the CDC file has an uSNChanged value as 0, the fetches all the changes in the base DN until the latest uSNChanged value and then updates the CDC file with the latest uSNChanged value.
•If the CDC file has a uSNChanged value greater than 0, the fetches the changes that occur after the uSNChanged value read from the file. The then updates the CDC file with the latest uSNChanged value.
Configuring changed data capture for a specified time interval
To fetch changes for a specified time interval, you can set the following values in the advanced source properties:
•Specify the CDC along with the start time and end time in the advanced source properties. The reads the CDC file from the uSNChanged value and fetches the changes that occur after the uSNChanged value read from the file, but according to the time interval you specify. The also updates the CDC file with the latest uSNChanged value.
•When you provide only the start time, the fetches the changes from the specified start time to the latest changes.
•If you provide only the end time, the fetches the changes from the beginning to the specified end time.
Reset change data capture
You can reset CDC to fetch the changes from the beginning. The ignores the uSNChanged value in the CDC file. The then updates the CDC file with the last uSNChanged value.
CDC configuration scenarios in active directory
The following scenarios describe the configurations for capturing changed data when you enable CDC:
Do not set time stamp and disable reset CDC.
The captures all the changes that occurred in the parent DN until the current time and updates the CDC file with the latest uSNchanged value.
When you next capture data changes from the LDAP directory server, the reads the uSNchanged value stored in the CDC file. The captures all the changes from the specified uSNchanged value in the file until the current time and updates the CDC file with the latest uSNchanged value.
Do not set time stamp and enable reset CDC.
The captures all the changes that occurred in the parent DN until the current time and updates the CDC file with the latest uSNchanged value.
In a subsequent capture, the ignores the uSNchanged value in the CDC file. The captures all the changes that occurred in the parent DN until the current time and updates the CDC file with the latest uSNchanged value.
Set time stamp and disable reset CDC.
The captures all the changes that occurred during the specified CDC start time and end time. The then updates the CDC file with the latest uSNchanged value.
In a subsequent run, the reads the uSNchanged value in the CDC file and captures all the changes from the specified uSNchanged value in the file until the specified CDC end time. The then updates the CDC file with the latest uSNchanged value.
Do not set time stamp and enable reset CDC.
The captures all the changes that occurred during the time period that you specified in the CDC start and end time. The then updates the CDC file with the latest uSNchanged value.
In a subsequent run, the ignores the uSNchanged value in the CDC file and captures all the changes that occurred during the time period that you specified in CDC start and end time. The then updates the CDC file with the latest uSNchanged value.
Reading and writing multivalued attributes
Multivalued attributes can have multiple values assigned to the attribute. If the data that you want to read from the LDAP directory server contains multivalued attributes, the reads the multivalued attributes and converts them into XML format.
For example, a group membership list with names of everyone in the group is a multivalued attribute. If the list contains four values, test1, test2, test3, and test4, the converts the attributes into the following XML format:
To write data with multivalued attributes to an LDAP directory server, you must provide the data in XML format.
When you pass special characters, such as & , >, and < in a multivalued attribute, you must convert the special characters into the following equivalent HTML entities:
•& as &
•< as <
•> as >
When reading data, the converts the special characters to its equivalent HTML entity when it serializes the XML.