Sun Identity Manager 8.1 Resources Reference

Usage Notes

This section lists dependencies and limitations related to using the Active Directory resource adapter, including:

Checking Password History

To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. This functionality is enabled on an AD resource by setting the User Provides Password On Change resource attribute to 1 and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.

The sources.ResourceName.hosts property in the file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of a resource adapter using Active Sync. ResourceName must be replaced with the name of the Resource object.

Supporting Microsoft Exchange Server 2000 and 2003

To support Microsoft Exchange Server 2000 and 2003, the following account attributes must be enabled:

The following account attributes are displayed in the schema map by default and are also used for managing Exchange accounts:

If your Active Directory resource is not being used to manage Exchange Server attributes, then you must remove these attributes from the schema map for these adapters to successfully provision Active Directory accounts with Identity Manager.

Managing a mixed Microsoft Exchange environment with Exchange Server 2000/2003 and 2007 installed is possible. If this Active Directory resource is not used to manage a mixed environment and only Exchange Server 2007 is present, then follow the directions above and remove the Exchange attributes from the schema.

The Active Directory adapter can be modified to support printer, computer, or other Active Directory objects. The following example illustrates how to modify the XML code in the appropriate Java class to support printer objects.

<ObjectType name=’Printer’ icon=’group’>
    <ObjectClasses operator=’AND’>
       <ObjectClass name=’printQueue’/>
       <ObjectFeature name=’create’/>
       <ObjectFeature name=’update’/>
       <ObjectFeature name=’delete’/>
    <ObjectAttributes idAttr=’distinguishedName’ displayNameAttr=’cn’ 
       <ObjectAttribute name=’cn’ type=’string’/>
       <ObjectAttribute name=’description’ type=’string’/>
       <ObjectAttribute name=’managedby’ type=’string’/>
       <ObjectAttribute name=’distinguishedName’ type=’string’/>

In addition, you must create at least one new form to support printer objects.

The Windows Active Directory resource can manage Exchange 2000 contacts by changing the object class to contact and removing the password, accountId, and expirePassword resource attributes.

Supporting Exchange 2007

Microsoft Exchange Server 2007 is only supported on Windows Server 2003 R2 or Windows Server 2003 Service Pack 1 or newer.

The Active Directory adapter does not manage Exchange 2007 email accounts by default. To enable support for these accounts:

Attribute Name  


RecipientType (String) 

The user type on the resource. It is required during creation of the account on an Exchange 2007-enabled resource. Allowed values are: 

- User (Active Directory only user) 

- UserMailbox (Active Directory and Exchange user with local mail storage) 

- MailUser (Active Directory and Exchange user without local mail storage) 

This attribute is read-only during later actions, except when changing from an Active Directory-only user (RecipientType equals User) to an Exchange user type (RecipientType UserMailbox or MailUser). You can not change the RecipientType back to User or from MailUser to UserMailbox and vice versa. 

Database (String) 

The Database to store the users Mailbox. This value must be of the form: Server\StorageGroup\MailboxDatabase. This attribute must have a value when the RecipientType is set to UserMailbox. The attribute is ignored for other values of RecipientType.

ExternalEmailAddress (String) 

An e-mail address outside of the Exchange organization. This attribute must be set to a unique value in the Exchange organization for the RecipientType MailUser. The attribute is ignored for other values of RecipientType. 

Configuring Active Sync

If the Search Child Domains resource parameter is NOT selected, the LDAP Hostname must be configured to specify the hostname of a specific Domain Controller, because Active Sync must always connect to the same Domain Controller. If the Search Child Domains option is selected, then the Global Catalog Hostname must be set to a specific Global Catalog server.

See Chapter 52, Active Directory Synchronization Failover for information about limiting the number of repeated events that occur when you switch to a new domain controller.

Specifying a Domain for Pass-Through Authentication

In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the gateway searches all known domains and tries to authenticate the user in the domain that contains the user.

In a trusted multi-domain environment, there can be two possible situations:

When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Business Administrator's Guide for more information about setting up common resources.

If the user/password combination is domain-dependent, and if users can be expected to know the domain information, you can allow users to enter the domain information on the login screen. This option can be used in combination with common resources.

To allow the user to enter the domain on the login page, add the following property to the <AuthnProperties> element in the resource object’s XML:

<AuthnProperty name=’w2k_domain’ displayName=’Domain:’ formFieldType=’text’ 
dataSource=’user’ doNotMap=’true’/>

In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.

User management across forests is only possible when multiple gateways, one for each forest, are deployed. In this case, you can configure the adapters to use a predefined domain for authentication per adapter without requiring the user to specify a domain. To accomplish this, add the following authentication property to the <AuthnProperties> element in the resource object’s XML:

<AuthnProperty name=’w2k_domain’ dataSource=’resource attribute’ 

Replace MyDomainName with the domain that will authenticate users.

Login failures will occur in domains if the user exists in the domain and the password is not synchronized.

It is not possible to use multiple data sources for the domain information in one Login Module Group.

Gateway Timeouts

The Active Directory adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:
   RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.