The schema is generated based on the dynamic discovery of the
data source by the management agent. When you refresh the schema
for this management agent, the connected data source schema is
rediscovered, the current management agent schema is updated, and
then Management Agent Designer starts. In Management Agent
Designer, you can correct any inconsistencies introduced by the
updated schema, such as deleted object types or deleted
attributes.
Remarks
Microsoft Identity Integration Server 2003 uses the Lightweight
Directory Access Protocol (LDAP) to communicate with IBM Directory
Server. To successfully discover data, replicas of all the data
should be put on the LDAP server and should only use read-only and
read-write partitions. Microsoft Identity Integration Server 2003
cannot successfully discover data on LDAP servers that use
subreferences and/or include filtered-read-only or
filtered-read-write partitions.
You are not required to install Microsoft Identity Integration Server 2003 on the server running IBM Directory
Server.
Because IBM Directory Server can store multiple values for the
CN attribute, and the default metaverse CN attribute
is single-valued, you should avoid configuring a direct import
attribute flow of CN to CN. Instead, create a
distinguished name mapping type, and map component 1
of the distinguished name to CN. For more information about
configuring distinguished name components for import attribute
flow, see Attribute flow rules.
If you enable provisioning of objects and set the password in a
provisioning rules extension during export to an IBM Directory
Server, you should not add a NULL termination to the password. If a
NULL termination is added to the password, you cannot bind by using
the credentials of the user that you just provisioned.
You should set the properties of the IBM Directory Server to
have unlimited search ranges. If there are limits on the search
ranges, you might encounter the error "The operation failed. The
administrative limit for the request has been exceeded."
The user account used to create a management agent for IBM
Directory Server must have the following permissions on the IBM
Directory Server in order to successfully perform import and export
operations. Although you can create a management agent without
using administrator credentials, you might receive errors when
attempting to perform an import or export.
IBM Directory Server version
Operation
Credentials needed
4.1
Full Import
Administrator-level
4.1
Delta Import
Administrator-level
4.1
Export
Administrator-level
5.x
Full Import
Any user
5.x
Delta Import
Administrator-level
5.x
Export
Administrator-level
IBM Directory Server does not guarantee that the case of a
DN component will match in all instances. On a
synchronization or import from IBM Directory Server, this can
manifest itself as an unexpected update. For example, if you create
O=TEST, and then create the user cn=MikeDan, O=TEST,
this might be imported from IBM Directory Server as cn=MikeDan,
O=test. Because of the case difference, Microsoft Identity Integration Server 2003 treats this as an update on subsequent full
imports.
This management agent supports password management. For more information, see Related Topics.
