Netegrity SiteMinder 6.0 is now supported. Proper configuration of the PolicyServer and WebAgent for SiteMinder are necessary for the adapter to function correctly. (ID-6478)
The Active Directory resource adapter now provides a Home Directory Rights resource attribute that controls permission inheritance and the level of permission for the home directory. The default value is 0. A value of 0 indicates that it will not inherit and the user's permission will be FULL control. A value of 1 indicates that the permissions will be inherited and the user's permission will be FULL control. A value of 2 indicates that the permissions will not be inherited and the user's permission will be MODIFY control. A value of 3 indicates that the permissions will be inherited and the user's permission will be MODIFY control. MODIFY control consists of the rights: FILE_GENERIC_WRITE, FILE_GENERIC_READ, FILE_EXECUTE and DELETE. (ID-12881, 19706)
The database table resource adapter can now process a database column that is mapped to the accountId attribute and has a data type of integer. (ID-13362)
The LDAP resource adapter now synchronizes entries only under the predefined base contexts. (ID-15389)
Added the "Respect resource password policy change-after-reset" resource parameter to the LDAP resource adapter. When this option is enabled, and this resource is specified in a Login Module, and the resource's password policy is configured for change-after-reset, a user whose resource account password has been administratively reset will be required to change that password after successfully authenticating. (ID-16255)
In this release, this behavior is available only for those LDAP servers that return the "Netscape Password Expired" (unsolicited) response control (OID 2.16.840.1.113730.3.4.4) with the response to a successful bind operation. The combination of the successful bind attempt and the control is interpreted to mean the user's password has been administratively reset and must be changed. An LDAP server implementing the password policy change-after-reset feature will allow a user with a reset password that has successfully authenticated only to change the password; any other operation is rejected.
Furthermore, because Identity Manager performs all LDAP resource operations other than pass-through-authentication using an LDAP resource administrator account, certain LDAP servers will consider any user's password modification attempt as an administrative reset and never clear that status from the user's account. Such LDAP servers include:
Sun Java Systems Directory Server 5.x configured to use rootDN (typically cn=directory manager) as the resource adapter connection account
Sun Java Systems Directory Server 5.2 with passwordNonRootMayResetUserpwd:on.
Sun Java Systems Directory Server 6.0 and later (including OpenDS)
The Domino resource adapter now supports the group provisioning ObjectType, implementing the ObjectFeatures create, delete, list, rename, saveas and update. (ID-16422)
The SecurId resource adapter supports account renames. (ID-16517)
The SAP resource adapter has been updated to handle CUA in a more robust manner. With the new forms and code changes, Identity Manager users can change CUA child systems as well as roles and profiles for those child systems on a SAP user basis. (ID-16819)
The characteristics of the profiles and activityGroups account attributes have changed. Both of these attributes now have a data type of complex. The profiles attribute now maps to the PROFILES resource user attribute, while the activityGroups attribute now maps to the ACTIVITYGROUPS resource user attribute.
Load the $WSHOME/web/sample/updateSAPforCUA.xml file to update these changes on your SAP resource adapters. New SAP resources contain these attributes, unless you create the resource by copying an existing resource that has not been updated.
Identity Manager now detects and traps Domino denial-of-service errors. (ID-16911)
The WRQ Attachmate 3270 Mainframe Adapter for Sun is supported. Refer to the Resource Reference for details on setting up this product. (ID-17031)
Linux resources support using sudo to manage the /usr/bin/chage command. (ID-17119)
Added support for Lotus Notes/Domino 8.0. (ID-17213)
The Scripted Gateway adapter now supports password synchronization. (ID-17813)
The Oracle ERP resource adapter now allows EMPLOYEE_NUMBER to contain both alphabetic and numeric characters. (ID-18239)
The OS400 resource adapter now supports special characters in passwords. (ID-18412)
Added the RACF Case Insensitive Excluded Resource Accounts and RACF_LDAP Case Insensitive Excluded Resource Accounts sample exclusion rules. These are defined in the sample/wfresource.xml file.
The MySQL resource adapter has been updated to inherit from the JdbcResourceAdapter. Existing MySQL resource attributes will be updated automatically. (ID-18835)
The Windows NT resource adapter is supported again. It is no longer deprecated. (ID-19170)
The LDAP resource adapter has a new Use Paged Result Control configuration parameter. When you enable this parameter, which is disabled by default, Identity Manager uses Paged Result Control instead of VLV Control for the Account Iterator in Reconciliation. Using the Use Paged Result Control configuration parameter improves performance as long as your LDAP resource adapter supports simple paging control. (ID-19231)
Added the Objecttypes to read from SAP HR resource parameter to the SAP HR adapter to allow processing of the organization IDOCs from SAP HR. This is a multi-valued attribute which currently supports the values of "P", "CP", "S", "C" and "O". (ID-19286)
The OracleERP resource adapter now supports an option that suppresses Identity Manager.s ability to prepend the administrator user's schema identifier (such as APPS) to the names of Oracle EBS administrative tables (such as FND_USER, FND_VIEWS, and so forth). This option is provided through a new resource attribute with the Do Not Use Schema Identifier display name, and the default value is FALSE. If you change this value to TRUE, the adapter can no longer prepend the schema identifier to administrative table names. (ID-19352)
The Active Directory adapter now supports the inetOrgPerson object class and other object classes derived from the user object class. (ID-19399)
Added the Maintain LDAP Group Membership parameter to the LDAP adapter to control whether Identity Manager or the LDAP resource is responsible for maintaining LDAP group membership when a user is renamed or deleted. (ID-19463)
Added the resource parameter ERROR_CODE_LIMIT to the Shell Script resource adapter. This parameter allows you determine which return code is an error. (ID-19858)
The SecurId adapters now support the following features: (ID-18665, 18671, 18672, 18673, 18676, 18677, 19726)
Edit the user's first name, last name, and default shell.
Fetch all valid ACE groups from the ACE server
Search on an ACE group and return all users in that group.
Fetch a list of all defined ACE agents from the ACE Server.
Show all the groups that are activated on an ACE agent.
Fetch all the Administrators and their Admin Level.
The gateway now supports the AES cipher in 128-bit, 192-bit and 256-bit keys for communication with the Identity Manager server. (ID-19738)