IDM 7.2.1

Schema and supported operations

Different connectors support different subsets of the overall set of operations provided by OpenICF. When your connector is ready to use, you can use the ConnectorFacade to determine which operations your connector supports.

The quickest way to check whether an operation is supported is to determine whether that specific operation is part of the set of supported operations. The following sample test checks if the CreateApiOp is supported:

Set<Class< ? extends APIOperation>> ops = conn.getSupportedOperations();
return ops.contains(CreateApiOp.class);

Note that a connector might support a particular operation, only for specific object classes. For example, the connector might let you create a user, but not a group.

To be able to determine the list of supported operations for each object class, you need to check the schema. To determine whether the connector supports an operation for a specific object class, check the object class on which you plan to perform the operation, as shown in the following example.

Schema schema = conn.schema();
Set<ObjectClassInfo> objectClasses = schema.getObjectClassInfo();
Set<ObjectClassInfo> ocinfos = schema
        .getSupportedObjectClassesByOperation(CreateApiOp.class);

for(ObjectClassInfo oci : objectClasses) {
    // Check that the operation is supported for your object class.
    if (ocinfos.contains(ocinfo)) {
        // object class is supported
    }
}

In addition to determining the supported operations for an object class, your application can check which attributes are required and which attributes are allowed for a particular object class. The ObjectClassInfo class contains this information as a set of AttributeInfo objects.

The following example shows how to retrieve the attributes for an object class.

Schema schema = conn.schema();
Set<ObjectClassInfo> objectClasses = schema.getObjectClassInfo();
for(ObjectClassInfo oci : objectClasses) {
    Set<AttributeInfo> attributeInfos = oci.getAttributeInfo();
    String type = oci.getType();
    if(ObjectClass.ACCOUNT_NAME.equals(type)) {
        for(AttributeInfo info : attributeInfos) {
            System.out.println(info.toString());
        }
    }
}

Using the schema object, you can obtain the following information:

  • Object classes and their attributes

  • Operation options per operation

The following example shows how to retrieve the schema as a list of ObjectClass objects, from the ObjectClassInfo class.

ObjectClass objectClass = new ObjectClass(objectClassInfo.getType());

Operation options

Operation options provide an extension point to an operation, letting you request additional information from the application, for each operation. The connector framework includes a number of predefined operation options for the most common use cases. For example, the option OP_ATTRIBUTES_TO_GET enables you to specify a list of attributes that should be returned by an operation. When you write a connector, you must define the operation options that your connector supports in the schema, so that the application knows which operation options are supported.

For a list of the predefined operation options, refer to the corresponding Javadoc.

ICF special attributes

ICF includes a number of special attributes, that all begin and end with __ (for example __NAME__, and __UID__). These special attributes are essentially functional aliases for specific attributes or object types. The purpose of the special attributes is to enable a connector developer to create a contract regarding how a property can be referenced, regardless of the application that is using the connector. In this way, the connector can map specific object information between an arbitrary application and the resource, without knowing how that information is referenced in the application.

The special attributes are used extensively in the generic LDAP connector, which can be used with ForgeRock Directory Services (DS), Active Directory, OpenLDAP, and other LDAP directories. Each of these directories might use a different attribute name to represent the same type of information. For example, Active Directory uses unicodePassword and DS uses userPassword to represent the same thing, a user’s password. The LDAP connector uses the special OpenICF __PASSWORD__ attribute to abstract that difference.

For a list of the special attributes, refer to the corresponding Javadoc.

Copyright © 2010-2022 ForgeRock, all rights reserved.