For this procedure, in Management Agent Designer, on the
Configure Naming Context page, you can select naming
contexts (suffixes) and object containers (or sub-suffixes) you
want to synchronize. Also, you specify credentials the management
agent uses to read from or write to those naming contexts.
To complete this procedure, you must be logged on as a member of the MIISAdmins security group.
This procedure applies to management agents for the following
Microsoft Identity Integration Server 2003 editions:
Enterprise Edition
Identity Integration Feature Pack for Active Directory
IBM Directory Server, Sun and Netscape directory servers
N\A
To specify naming context configuration
On the Naming Context Configuration page, select the
naming context that you want to include.
Click Containers, and then do any of the following:
To select containers from the naming context root, in Select
Containers, clear the check boxes to the left of the containers
that you do not want to include. You must select at least one
container. By default, all containers for the naming context are
selected and all objects within those containers can be selected
for synchronization on the Select Object Types page. If you
are going to select only a small number of objects for
synchronization, select only those containers that contain those
objects.
To filter and select specific containers where permissions or
schema configuration do not allow you to select higher-level
containers, or to exclude specific containers, click
Containers, click Advanced, and then, in Advanced
Container, do any of the following:
To add a container, in Specify additional container to
add, type the container name, click Include, and then
click Add.
To exclude a specific container when its parent container is
selected, in Specify additional container to add, type the
container name, click Exclude container, and then click
Add.
To remove a container, in Containers to synchronize,
select the check box next to a container, ant then click
Remove.
In Server Information, in Server type, verify
that the correct directory server version is detected, and then, if
you are configuring this management agent for use with a delta
import run profile, verify that Change log enabled is set to
Yes.
In Server Information, select Define Search
Ranges, and then click Configure.
In Configure Search Ranges, click Select, and
then, in Select Attributes, in Available attributes,
click an attribute, and then click Add. To remove an
attribute from the Attribute list, select an attribute, and
then click Remove.
To further configure by-value search ranges for an attribute,
in Attribute click an attribute, click Add, and then
type a search range point value.
To export (save) a search range, click Export, type a
file name, and then click Save.
To import (open) a search range, click Import, click the
advanced search range file that you want to import, and then click
Open.
Note
Search filter clauses are combined with an AND operator in the
order that you add them to the list, however, two or more search
ranges can return the same result if a search range overlaps the
same value as another search range. For example: Order 1
Value B, and Order 2 Value A, and Order
3, Value C return attributes with values beginning with B
twice.
Important
By default, this management agent uses a wildcard query =*
(that is, equal to anything) to find all objects in a selected
container. Due to Lightweight Directory Access Protocol (LDAP)
administrative limits, an error can be generated if too many
queries are performed on a single directory container namespace.
This can occur for directories with a large number of objects. To
circumvent this limit, you can use the Define Search Ranges
option to configure smaller, more manageable container namespace
searches. This option implements anti-trawling filters to define
targeted beginning and end points for a search range. For example,
to define a search range that applies search range for attribute
values that are less than A, including all values A
and less than B, including all values B and less than
C, and including all values C and nothing more than
C, you need to configure the Order and Value
for search range listed in the following table.
Order (user defined)
Value (user defined)
Filter
1
A
(&(cn <=A))
2
B
(&(!(cn >=A))(cn <=B))
3
C
(&(!(cn >=B))(cn <=C))
4
C
(&(!(cn >=C))(cn <=C))
If objects within a naming context (suffix) and parent
container are not discovered, it may be because the parent
container does not also contain an object with the
numsubordinates attribute, or the numsubordinates
attribute contains an invalid value. This can occur when a parent
container only contains sub-suffix child containers. Sub-suffix
containers are manually created and exist on a separate database
from the parent container. To work around this, only select the
most specific container that contains the sub-suffix root objects.
This will bypass those parent containers with objects with invalid
or missing numsubordinates values. You can also create an
object at the same level as a sub-suffix container (not a
sub-suffix root object) within the parent container. This forces
the management agent to detect child containers because the parent
container will have an object with a valid numsubordinates
value.
Notes
You can only select one naming context per management
agent.
If the directory server does not have change log enabled, you
cannot create a delta import run profile.
When you select containers, a blue check mark in a white box
next to a container indicates that the parent container and all of
the child containers are selected. A white check mark in a gray box
indicates that the parent container is selected and that one or
more child containers are not selected. No check mark in a grey box
indicates at least one child container is selected, but the parent
container is not selected. When you create a new management agent,
all of the check boxes next to the container objects for the
selected naming contexts are selected by default.
