Using the Management Agent for IBM Directory Server

  • Article

With the management agent for IBM Directory Server, you can synchronize with an IBM Directory Server.

Connected data source support

  • IBM Directory Server 6.0 or 6.2

Management agent type

This is a call-based management agent.

Schema

The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and then Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies introduced by the updated schema, such as deleted object types or deleted attributes.

Remarks

  • FIM uses the Lightweight Directory Access Protocol (LDAP) to communicate with IBM Directory Server. To successfully discover data, replicas of all the data should be put on the LDAP server and should only use read-only and read-write partitions. FIM cannot successfully discover data on LDAP servers that use subreferences and/or include filtered-read-only or filtered-read-write partitions.

  • You are not required to install FIM on the server running IBM Directory Server.

  • Because IBM Directory Server can store multiple values for the CN attribute, and the default metaverse CN attribute is single-valued, you should avoid configuring a direct import attribute flow of CN to CN. Instead, create a distinguished name mapping type, and map component 1 of the distinguished name to CN. For more information about configuring distinguished name components for import attribute flow, see Attribute Flow Rules.

  • If you enable provisioning of objects and set the password in a provisioning rules extension during export to an IBM Directory Server, you should not add a NULL termination to the password. If a NULL termination is added to the password, you cannot bind by using the credentials of the user that you just provisioned.

  • You should set the properties of the IBM Directory Server to have unlimited search ranges. If there are limits on the search ranges, you might encounter the error "The operation failed. The administrative limit for the request has been exceeded."

  • The user account used to create a management agent for IBM Directory Server must have permissions on the IBM Directory Server in order to successfully perform import and export operations.

  • IBM Directory Server does not guarantee that the case of a DN component will match in all instances. On a synchronization or import from IBM Directory Server, this can manifest itself as an unexpected update. For example, if you create O=TEST, and then create the user cn=MikeDan, O=TEST, this might be imported from IBM Directory Server as cn=MikeDan, O=test. Because of the case difference, FIM treats this as an update on subsequent full imports.

  • This management agent supports password management. For more information, see See Also.

See Also

Concepts

Configuring Management Agents
Create a Management Agent
Connect to an IBM Directory Server
Configure Containers
Select Object Types
Select Attributes
Configure Connector Filter Rules
Configure Join and Projection Rules
Configure Attribute Flow Rules
Configure Deprovisioning Rules
Configure Password Management and Specify Rules Extensions
Password management