Schema

A schema is essential for the sync engine and connector to work.

There is a single function you need to implement and it is called on the creation of the connector and when the administrator selects refresh schema.

Function GetSchema(configParameters) As Schema

The returned schema is a collection of schemaType objects.

Objects

The objects are returned as a schemaType to the sync engine. On the object level, you return attributes and provisioning hierarchy information.

Provisioning hierarchy

This multivalued property, PossibleDNComponentsForProvisioning, works together with ExportActionProvisioningParent. With this structure configured, the connector can automatically create a structure in a target directory. For example, if the administrator provisions an object cn=Bob,ou=Sweden,ou=Europe,o=Fabrikam to the connector space, and an OU is not in the directory, the connector can create it.

For an object, you return the possible DN-components it can support, for example ou for the organizationalUnit object type. The administrator can then create a mapping between these two in the connector UI.

Provisioning hierarchy in Generic LDAP connector

Provisioning hierarchy in Generic LDAP connector

During export, the connector receives requests to create OUs when needed. This is going to be a very bare-boned object with only a name, dn, and objectClass.

Attributes

In the returned structure, you indicate the attributes associated with an object. The primary key in the sync engine for the attribute is its name. When you return the same attribute for multiple different objects, you must return the same attribute type for all objects. This is similar to an X.500 directory schema structure, which is how the schema is stored internally in the sync engine.

An attribute can be of the following types:

  • Binary
  • Boolean
  • Integer
  • Reference
  • String

It can in addition to these types, it can be marked as multi-valued or as an anchor (anchors cannot be multi-valued). An attribute can also be marked HiddenByDefault. If this is set, then the administrator must select show all on the attributes page in the connector to see the attribute.

Anchor attributes

Anchor attributes are essential to the sync engine. You do not have to mark any attribute as an anchor attribute when you return the schema. If you do not, then the administrator is allowed to select anchor attributes at the end of the connector creation.

On the schemaType you can set the property locked. This option locks the anchor definition on the configure anchors page so it cannot be changed by the administrator. If you do not lock the definition, then the administrator can change the anchor attributes provided by GetSchema.

You can also implement a hybrid approach. In the Generic SQL Connector, the administrator is allowed to select which attributes should be part of the anchor. But the connector requires the objectType to be part of the anchor. For this reason, the administrator is asked for anchor attributes in the schema pages. The connector then adds its mandatory attribute and then on the configure anchors page, the option is locked.

Hybrid anchor approach in Generic SQL connector

Hybrid anchor approach in Generic SQL connector

Attribute operation type

An attribute can also be set with an operation type. If it is not defined, the sync engine assigns ImportExport operation type to the attribute.

  • ExportOnly
  • ImportOnly
  • ImportExport

For example, connected directory system created attributes, such as whenCreated, should be marked as ImportOnly. Another example is userPassword, which should be marked as ExportOnly; no connected directory allows you to read and import this attribute. This setting affects the UI in how attribute flows are allowed to be configured.