test

Sun Identity Manager 8.1 Resources Reference

Chapter 57 Active Directory Connector

This chapter describes installation and configuration issues for the Active Directory connector. The Active Directory connector shares a significant feature set with the Active Directory resource adapter.

For current information on identity connector installation and configuration issues, see https://identityconnectors.dev.java.net. For a general discussion of identity connectors, see Chapter 56, Identity Connectors Overview.

Connector Details

Bundle Name

Windows Active Directory Connector

Bundle Version

1.0.0.3663

Resource Configuration Notes

This section provides instructions for configuring the following connector-based Active Directory resources for use with Identity Manager, including the following:

Connector Server Location

Unless the LDAP Hostname resource attribute is set, the connector will perform a serverless bind to the directory. For the serverless bind to work, the connector server must be installed on a system that is in a domain and that “knows” about the domain/directory to be managed. All Windows domains managed by a connector must be part of the same forest. Managing domains across forest boundaries is unsupported. If you have multiple forests, install at least one connector server in each forest.

The LDAP Hostname resource attribute tells the connector to bind to a particular DNS hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname does not necessarily have to specify a specific domain controller. The DNS name of an AD domain can be used. If the connector's DNS server is configured to return multiple IP addresses for that DNS name, then one of them will be used for the directory bind. This avoids having to rely on a single domain controller.

Some operations, including pass-through authentication and before and after actions, require that the connector server be a member of a domain.

Connector Server Service Account

By default, the connector server runs as the local System account. This is configurable through the Services MMC Snap-in.

If you run the connector server as an account other than Local System, then connector server service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the connector server service account. This means that the connector server service account must have the appropriate permissions to perform these operations. Currently, these operations are:

When performing before and after action scripts, the connector server may need the Replace a process level token right. This right is required if the connector server attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the connector server process needs the right to replace the default token associated with that subprocess.

If this right is missing, the following error may be returned during subprocess creation:

"Error creating process: A required privilege is not held by the client"

The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.

Identity Manager Installation Notes

For the latest information on setting up a connector server, see https://identityconnectors.dev.java.net/connector server.html.

Usage Notes

This section lists dependencies and limitations related to using the Active Directory connector, including:

Checking Password History

To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. You can enable this feature on an AD resource by clicking the User Provides Password On Change checkbox on the Resource Parameters page and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.

Configuring Active Sync

If the Search Child Domains resource parameter is NOT selected, the LDAP Hostname must be configured to specify the hostname of a specific Domain Controller, because Active Sync must always connect to the same Domain Controller. If the Search Child Domains option is selected, then the Sync Global Catalog Server must be set to a specific Global Catalog server.

See Chapter 52, Active Directory Synchronization Failover for information about limiting the number of repeated events that occur when you switch to a new domain controller.

Specifying a Domain for Pass-Through Authentication

In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the connector server searches all known domains and tries to authenticate the user in the domain that contains the user.

In a trusted multi-domain environment, there can be two possible situations:

When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Business Administrator's Guide for more information about setting up common resources.

In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.

Login failures will occur in domains if the user exists in the domain and the password is not synchronized.

It is not possible to use multiple data sources for the domain information in one Login Module Group.

Security Notes

This section provides information about supported connections and privilege environments.

Required Administrative Privileges

This section describes Active Directory permission and reset password permission requirements.

Active Directory Permissions

The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.

Table 57–1 Active Directory Permissions

Identity Manager Functionality 

Active Directory Permissions 

Create Active Directory User accounts 

Create User Objects 

To create the account enabled, you must have the ability to Read/Write the userAccountControl property. To create with the password expired, you must be able to Read/Write the Account Restrictions property set (includes the userAccountControl property). 

Delete Active Directory User accounts 

Delete User Objects 

Update Active Directory User accounts 

Read All Properties, Write All Properties 

Note: If only a subset of the properties are to be managed from Identity Manager, then Read/Write access can be given to just those properties.

Change/Reset AD User account passwords 

Unlock AD User accounts 

Expire AD User accounts 

User Object permissions: 

  • List Contents

  • Read All Properties

  • Read Permissions

  • Change Password

  • Reset Password

    User Property permissions:

  • Read/Write lockoutTime Property

  • Read/Write Account Restrictions Property set

  • Read accountExpires Property

    To set permissions for the lockoutTime property, you should use the cacls.exe program available in the Windows 2000 Server resource kit.

Reset Password

The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.

Pass-Through Authentication

To support Active Directory (AD) pass-through authentication:

Note –

If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the connector server.

The connector server uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.

Provisioning Notes

The following table summarizes the provisioning capabilities of this connector.

Table 57–2 Provisioning Capabilities

Feature 

Supported? 

Enable/disable account 

Yes 

Rename account 

Yes 

Pass-through authentication 

Yes 

Before/after actions 

Yes 

The Active Directory resource supports before and after actions, which use batch scripts to perform activities on the connector server during a user create, update, or delete request. For more information, see Chapter 50, Adding Actions to Resources

Data loading methods 

Import directly from resource 

Reconcile with resource 

Active Sync 

Account Attributes

The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports Boolean, string, and integer syntaxes. Binary strings and similar syntaxes are not supported.

Attribute Syntax Support

This section provides information about supported and unsupported account syntaxes.

Supported Syntaxes

The following table lists the Active Directory syntax supported by Identity Manager:

Table 57–3 List of Supported Syntaxes

AD Syntax 

Identity Manager Syntax 

Syntax ID 

OM ID 

ADS Type 

Boolean

Boolean 

2.5.5.8 

ADSTYPE_BOOLEAN

Enumeration

String 

2.5.5.9 

10 

ADSTYPE_INTEGER

Integer

Int 

2.5.5.9 

ADSTYPE_INTEGER

DN String

String 

2.5.5.1 

127 

ADSTYPE_DN_STRING

Presentation Address

String 

2.5.5.13 

127 

ADSTYPE_CASE_IGNORE_STRING

IA5 String

String 

2.5.5.5 

22 

ADSTYPE_PRINTABLE_STRING

Printable String

String 

2.5.5.5 

19 

ADSTYPE_PRINTABLE_STRING

Numeric String

String 

2.5.5.6 

18 

ADSTYPE_NUMERIC_STRING

OID String

String 

2.5.5.2 

ADSTYPE_CASE_IGNORE_STRING

Case Ignore String (teletex)

String 

2.5.5.4 

20 

ADSTYPE_CASE_IGNORE_STRING

Unicode String

String 

2.5.5.12 

64 

ADSTYPE_OCTET_STRING

Interval

String 

2.5.5.16 

65 

ADSTYPE_LARGE_INTEGER

LargeInteger

String 

2.5.5.16 

65 

ADSTYPE_LARGE_INTEGER

Unsupported Syntaxes

The following table lists the Active Directory syntaxes that are not supported by Identity Manager:

Table 57–4 Unsupported Active Directory Syntaxes

Syntax 

Syntax ID 

OM ID 

ADS Type 

DN with Unicode string 

2.5.5.14 

127 

ADSTYPE_DN_WITH_STRING

DN with binary 

2.5.5.7 

127 

ADSTYPE_DN_WITH_BINARY

OR-Name 

2.5.5.7 

127 

ADSTYPE_DN_WITH_BINARY

Replica Link 

2.5.5.10 

127 

ADSTYPE_OCTET_STRING

NT Security Descriptor 

2.5.5.15 

66 

ADSTYPE_NT_SECURITY_DESCRIPTOR

Octet String 

2.5.5.10 

ADSTYPE_OCTET_STRING

SID String 

2.5.5.17 

ADSTYPE_OCTET_STRING

UTC Time String 

2.5.5.11 

23 

ADSTYPE_UTC_TIME

Object(Access-Point) 

2.5.5.14 

127 

n/a 

Identity Manager supports the jpegPhoto and thumbnailPhoto account attributes, which use the Replica Link syntax. Other Replica Link attributes might be supported, but they have not been tested.

Account Attribute Support

This section provides information about the Active Directory account attributes that are supported and those not supported by Identity Manager.

Supported Account Attributes

The following tables list the account attributes supported by Identity Manager: Other attributes might also be supported.

For description of these attributes, see Chapter 6, Active Directory.

Table 57–5 Attributes of ACCOUNT Object Class

Name 

Attribute Type 

Create? 

Update? 

Allows Multiple Values 

sAMAccountName

String 

Yes 

No 

No 

givenName

String 

Yes 

Yes 

No 

sn

String 

Yes 

Yes 

No 

displayName

String 

Yes 

Yes 

No 

mail

String 

Yes 

Yes 

No 

telephoneNumber

String 

Yes 

Yes 

No 

employeeID

String 

Yes 

Yes 

No 

division

String 

Yes 

Yes 

No 

mobile

String 

Yes 

Yes 

No 

middleName

String 

Yes 

Yes 

No 

description

String 

Yes 

Yes 

Yes 

department

String 

Yes 

Yes 

Yes 

manager

String 

Yes 

Yes 

Yes 

title

String 

Yes 

Yes 

Yes 

initials

String 

Yes 

Yes 

Yes 

co

String 

Yes 

Yes 

Yes 

company

String 

Yes 

Yes 

Yes 

facsimileTelephoneNumber

String 

Yes 

Yes 

Yes 

homePhone

String 

Yes 

Yes 

Yes 

streetAddress

String 

Yes 

Yes 

Yes 

1

String 

Yes 

Yes 

Yes 

st

String 

Yes 

Yes 

Yes 

postalCode

String 

Yes 

Yes 

Yes 

TerminalServicesInitialProgram

String 

No 

No 

Yes 

TerminalServicesWorkDirectory

String 

Yes 

Yes 

Yes 

AllowLogon

Integer 

Yes 

Yes 

Yes 

MaxConnectionTime

Integer 

Yes 

Yes 

Yes 

MaxDisconnectionTime

Integer 

No 

No 

Yes 

MaxIdleTime

Integer 

Yes 

Yes 

Yes 

ConnectClientDrivesAtLogon

Integer 

No 

No 

Yes 

ConnectClientPrintersAtLogon

Integer 

No 

No 

Yes 

DefaultToManPrinter

Integer 

No 

No 

Yes 

BrokenConnectionAction

Integer 

No 

No 

Yes 

ReconnectionAction

Integer 

No 

No 

Yes 

EnableRemoteControl

Integer 

No 

No 

Yes 

TerminalServicesProfilePath

String 

No 

No 

Yes 

TerminalServicesHomeDirectory

String 

No 

No 

Yes 

TerminalServicesHomeDrive

String 

No 

No 

Yes 

uSNChanged

String 

No 

No 

Yes 

ad_container

String 

No 

No 

Yes 

otherHomePhone

String 

Yes 

Yes 

Yes 

distinguishedName

String 

No 

No 

Yes 

objectClass

String 

No 

No 

Yes 

homeDirectory

String 

Yes 

Yes 

Yes 

PasswordNeverExpires

Boolean 

Yes 

Yes 

Yes 

Table 57–6 Attributes of GROUP Object Class

Name 

Attribute Type 

Create? 

Update? 

Allows Multiple Values 

cn

String 

No 

No 

Yes 

samAccountName

String 

Yes 

Yes 

Yes 

description

String 

Yes 

Yes 

Yes 

displayName

String 

No 

No 

Yes 

managedBy

String 

Yes 

Yes 

Yes 

mail

String 

Yes 

Yes 

Yes 

groupType

Int 

Yes 

Yes 

Yes 

objectClass

String 

No 

No 

Yes 

member

String 

No 

No 

Yes 

ad_container

String 

No 

No 

Yes 

Table 57–7 Attributes of organizationalUnit Object Class

Name 

Attribute Type 

Create? 

Update? 

Allows Multiple Attributes 

ou

String 

No 

No 

No 

displayName

String 

No 

No 

No 

Resource Object Management

Identity Manager supports the following Active Directory objects:

Table 57–8 Supported Active Directory Objects

Resource Object 

Supported Features 

Attributes Managed 

Group 

Create, update, delete 

cn, samAccountName, description, managedby, member, mail, groupType, authOrig, name

DNS Domain 

Find 

dc

Organizational Unit 

Create, delete, find 

ou

Container 

Create, delete, find 

cn, description

The attributes that can be managed on resource objects are also generally dictated by the attribute syntaxes. The attributes for these object types are similar as those for user accounts and are supported accordingly.

Identity Template

Windows Active Directory is a hierarchically based resource. The identity template will provide the default location in the directory tree where the user will be created. The default identity template is

CN=$fullname$,CN=Users,DC=mydomain,DC=com

The default template must be replaced with a valid value.

Sample Forms

This section lists the sample forms provided for the Active Directory resource adapter.

Built-In

Also Available

ADUserForm.xml

Troubleshooting

See Chapter 56, Identity Connectors Overview for information on logging and tracing information.