Resource test button does not test all fields. (ID-51)
The error message when a resource account password or username is not correct on a PeopleSoft resource is not clear (ID-2235). The error message states:
bea.jolt.ApplicationException: TPESVCFAIL - application level service failure
Windows Active Directory resource actions that use the %DISPLAY_INFO_CODE% exit status cause the action to fail with errors (ID-2827).
Setting a user’s primary group ID on Active Directory cannot be done when creating the user (ID-3221).
Workaround: Create the user without setting the primary group ID, then edit the user and set the value. The primary group ID is also set by number and not by the distinguished name (DN) of the group.
Resource IP addresses are cached in the JVM after the hostname is resolved to an IP address. If a resource IP address is changed, the application server must be restarted for Identity Manager to detect the change (ID-3635). This is a setting in the Sun JDK (version 1.3 and higher) and can be controlled with the sun.net.inetaddr.ttl property, which is typically set in jre/lib/security/java.security.
You cannot create multiple accounts for a single user on Oracle resources (ID-3832).
If a user is moved from or to a sub-container within the Active Directory organization, the Active Sync adapter will detect the change, but when you view the user on the edit page, (or make a change and view the confirmation page) the user’s accountId is still displayed as the original DN (distinguished name) (ID-4950). Because we use GUID to modify the user, this will not cause any operational problems. Running a reconcile against the resource will fix the problem.
If a user is moved from an Organization (OU) to a sub-organization, the LDAP ChangeLog adapter will not recognize the change and assumes the user has been deleted. The user object is then locked in Identity Manager (if that is the current setting), and a new account is not created for the moved account (ID-4953).
The pooled connections used by the UNIX resource adapters can be left in an undetermined state if an error occurs while executing a command or script (ID-5406).
On NDS, if you edit a field (such Grace Login Limit) on the initial provision, and do not provide values for the boolean fields, all the Boolean fields are set to false (ID-6770). This prevents you from setting the other fields on the restriction tab which require certain check box values to be true. To avoid this, always ensure all your Boolean fields are true when you expect them to be, so they are properly pushed when editing other fields.
When updating users by selecting update from an Identity Manager organization, users with a Sun One ID Server account will get an error if those users were created natively and loaded into Identity Manager (ID-7094). The work around is to update those users individually.
Identity Manager still contains the following deprecated classes:
com.waveset.object.IAPI
com.waveset.object.IAPIProcess
com.waveset.object.IAPIUser
Custom adapter classes should no longer refer to these classes, and should instead refer to the corresponding classes in package com.waveset.adapter.iapi. (ID-8246)
If you leave the New Resource Object wizard without clicking the Save or Cancel button, the abandoned form may not be destroyed and may interfere with the creation of subsequent new resource objects. (ID-11033) This leads to an error that says
No resource form id found in options or view.
Workaround: Always use the Cancel button to abandon the New Resource Object wizard.
If you edit a user while you are also running Active Sync as a different administrator, an Active Sync exception occurs. Because the user is locked by another administrator, Active Sync cannot retry the process. (ID-11255)
Workaround: To enable Active Sync retry for a resource, update the resource XML to include these two additional resource attributes, in the following format:
<ResourceAttribute name='syncRetryCountLimit' type='string' multi='false'facets='activesync' value='180'/> |
<ResourceAttribute name='syncRetryInterval' type='string' multi='false' facets='activesync' value='10000'/> |
Where:
syncRetryCountLimit is the number of times to retry the update.
syncRetryInterval is the number of milliseconds to wait between retries.
Subsequently, these values will appear as custom resource settings when you configure Active Sync. Specifying a displayName is advisable; using a custom catalog key if localization is necessary.
If a password for a user on all systems that are part of the CUA landscape is not in sync, changing the password might fail on child systems that are out-of-sync. This will occur only when the administrator sets a productive, not expired, password for the user, or the user changes the password himself. Under all other circumstances, the password change will succeed even if the systems are out-of-sync. (ID-13396)
Workaround:First, set an expired password and then, through a second change, set the productive password for the user.
There are two known issues with the Remedy Integration template editor. (ID-14729)
The default Remedy Schema value "HPD:HelpDesk" is not appropriate for later versions of BMC Remedy. Later versions do contain a schema "HPE:Help Desk".
The Choices columns is not displayed for some fields. This does not affect the ability to use Remedy templates.
A regression causes Identity Manager password synchronization to fail when used with Sun Java SystemDirectory Server Enterprise Edition 6.0, 6.1, and 6.2. The failure will be corrected in the Directory Server 6.3 release. If versions 6.0, 6.1, or 6.2 are required to work with Identity Manager, please request a Directory Server hotfix from Support, referencing Directory Server bug 6604342. (ID-14895)
When you expand the resource objects of a Sun Java System Access Manager 7.0 resource from the Resources tab, you might see the following error: (ID-15525)
Error listing objects. ==> com.waveset.util.WavesetException: Error trying to get attribute value for attribute 'guid'. ==> java.lang.IllegalAccessError: tried to access method com.sun.identity.idm.AMIdentity.getUniversalId()Ljava/lang/String; from class com.waveset.adapter.SunAccessManagerRealmResourceAdapter |
This error occurs on Access Manager 7.0 resources that have not had any patches applied. To fix this problem, you must apply at least Patch 1 of Access Manager, and then rebuild and redeploy the Access Manager client SDK.
NDS/Groupwise users created by Identity Manager that possess the Access and AccountID fields can appear to not have their corresponding values saved when inspected by certain viewers within the NDS Console 1 application (for example, by selecting user’s properties and then selecting the Groupwise tab). (ID-16330)
However, if the user’s Groupwise Diagnostic -> Display Object "viewer" is used instead, the field are then seen. Updates made by Identity Manager to the aforementioned fields do not seem to be affected by this "viewer" bug.
WRQ looks though the classpath to discover its own entry. From that entry, WRQ computes the directory where the JAR is stored, and then uses that directory to read the .JAW (licensing file). However, both BEA and WebSphere use non-standard protocol names (BEA uses zip, and WebSphere uses wsjar) rather than the standard JAR, which is the protocol the WRQ code assumes exists. (ID-16709, 17319)
Workarounds:
For BEA, add the following option to the java command in the startWeblogic.sh file:
-Dcom.wrq.profile.dir="DirectoryContainingLibraries" |
For WebSphere, add the com.wrq.profile.dir=DirectoryContainingLibraries property to the WebSphere/AppServer/configuration/config.ini file.
Before creating a new resource, be sure to enable the resource type in the list of configured types. Otherwise, the newly created resource object may not have all the required fields. (ID-17324)
The default value for the Make Directory resource attribute is inconsistent among the different UNIX OS resource adapters. For AIX, user creates always result in the home directory being created, and consequently this value is not present. For the Linux adapters, this value is set to “true” by default. For Solaris and HP-UX adapters, the default is set to “false”. (ID-18301)
If an external resource assignment is pending provisioning, and you rename the user to whom that work item was escalated, the provisioning task will finish without escalating to the renamed user. (ID-19897)
When pass-through authentication is configured between Identity Manager and OpenSSO server (Sun Access Manager Realm Resource adapter), authentication may fail if you use the '%' character in passwords. For more information on this issue, see https://opensso.dev.java.net/issues/show_bug.cgi?id=4122. (ID-20011)
The Domino gateway resource object create and update forms do not recognize non-default group category values (that is, values other than “Administration” and “None”. The Domino gateway resource object update form will display an error when editing a group that uses non-default category values. (ID-20212)
The Active Directory connector does not display localized messages if the browser language is set to a value without cntry, such as ja. (ID-20255)
Workaround: Select a language with a cntry value, such as ja-JP on the browser or specify cntry=JP as a URL parameter when you log into Identity Manager. For example,
http://host:port/idm/login.jsp?lang&cntry=ja=JP
If you are migrating an Active Directory adapter-based resource to an Active Directory connector-based resource, you must edit any associated resource actions to include the execMode attribute. Valid values for this attribute are connector and resource, but for Active Directory, if you are using the SHELL action type, resource is the only valid value. (ID-20534)
For example, where previous implementations of a resource action would have this line: <
<ResTypeAction restype='Windows Active Directory' actionType='SHELL'>
you must add the following line if you are using the Active Directory connector:
<ResTypeAction restype='Windows Active Directory' actionType='SHELL' execMode='resource'>