|Oracle® Identity Manager Connector Guide for Microsoft Active Directory User Management
|PDF · Mobi · ePub|
This chapter provides answers to frequently asked questions related to the functionality of the Microsoft Active Directory User Management connector.
What is the recommended system configuration for the computer installing and running the Connector Server?
The computer on which you want to install and run the Connector Server must meet the following requirements:
Intel Pentium Dual Core 2 GHz with 8 GB RAM.
Microsoft Windows Server 2003 or 2008 (both 32-bit or 64-bit), or Microsoft Windows Server 2012, 64-bit.
Where should I install the Connector Server for the Active Directory User Management connector?
Install the Connector Server on an computer that belongs to target system domain.
Is it mandatory to use Oracle Identity Manager 11g Release 1 (220.127.116.11.2) with Active Directory User Management connector release 18.104.22.168.0?
Yes. This is because the minimum Oracle Identity Manager version required to install and use Active Directory User Management connector release 22.214.171.124.0 is Oracle Identity Manager 11g Release 1 (126.96.36.199.2) BP02 (with patch 13684913) or later.
If the target system contains more than one domain, then should the Connector Server be installed on each domain?
In a parent-child domain environment, a single Connector Server installed on the parent domain computer is sufficient. However, in forest with disconnected domains, a Connector Server is required for each domain.
Can Active Directory User Management connector release 188.8.131.52 coexist with Active Directory User Management connector release 184.108.40.206?
No. Two versions of the same connector cannot coexist.
What are the prerequisites for installing and using the Active Directory User Management connector with Oracle Identity Manager release 11.1.2.x?
The following are the prerequisites for installing and using the Active Directory User Management connector with Oracle Identity Manager release 11.1.2.x:
Apply patch 14190610 or use Active Directory connector version 220.127.116.11.0 or later.
Create a form in Oracle Identity Manager.
Create an application instance associated with the form (created in Step 2) and IT resource.
Run the Entitlement List and Catalog Synchronization Job scheduled jobs to populate the application instance in the catalog.
How to establish a connection between Active Directory User Management connector release 18.104.22.168 and an AD LDS instance?
The following is the procedure to establish a connection between Active Directory User Management connector release 22.214.171.124 and an AD LDS instance:
Set the value of the IsADLDS parameter of the IT resource to
Specify a value for the ADLDSPort parameter of the IT resource.
Modify the Lookup.ActiveDirectory.UM.Configuration lookup definition as follows:
Search for and replace the Lookup.ActiveDirectory.UM.ProvAttrMap decode value with
Search for and replace the Lookup.ActiveDirectory.UM.ReconAttrMap decode value with
Modify the Lookup.ActiveDirectory.GM.Configuration lookup definition as follows:
Search for and replace the Lookup.ActiveDirectory.GM.ProvAttrMap decode value with
Search for and replace the Lookup.ActiveDirectory.GM.ReconAttrMap decode value with
Modify the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition by searching for and replacing the Lookup.ActiveDirectory.UM.Configuration.Trusted decode value with
What are the steps to ensure that the service account credentials are valid?
To ensure that the service account credentials are valid, test the connection to the target system by using an LDAP browser. After the connection is tested, provide the details in the IT resource. While providing value for IT resource parameters, ensure that you use the following format to specify a value for the DirectoryAdminName parameter:
Can the Active Directory User Management connector be used to move a user from one OU to another?
Yes. You can use the Active Directory User Management connector to move a user from one OU to another if both the OUs are in the same forest. In other words, you can use the connector to move a user from one OU to another if the OU to which the user is to be moved to is present in the organization lookup that is populated after organization lookup field synchronization.
If I customize the connector, should I modify the values in the Decode column (for example, OIM Employee Type, OIM User Type, and __UID__, and _PARENTCN__) of the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition?
No. The Decode column of the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition lists the attributes of the target system. Some of the target system attributes like OIM Employee Type, Manager Id, __UID__, __PARENTCN__, __ENABLE__, and OIM User Type are handled specially. Therefore, do not modify the Decode column values. The following is a description of each of the attributes in the Decode column:
OIM Employee Type: The value of this attribute is the same as the value of the OIM Employee Type attribute of the Active Directory User Trusted Recon scheduled job.
OIM User Type: The value of this attribute is the same as the value of the OIM User Type attribute of the Active Directory User Trusted Recon scheduled job.
Manager Id: Oracle Identity Manager handles the Manager Id attribute differently. It is not the same as the manager attribute on the target system. The Manager Id attribute contains the sAMAccountName of the user's manager and not the manager DN.
__UID__: This attribute retrieves the UID of the user.
__PARENTCN__: This attribute retrieves the container of the user. This attribute is used if you want to maintain in Oracle Identity Manager the same organization hierarchy that is maintained on the target system.
__ENABLE__: This attribute specifies whether the user in the target system is enabled.
If you add new attributes for the trusted source reconciliation, then it is expected that you update the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition by creating an entry for the newly added attribute. In the Decode column of this new entry, you specify the name of the newly added target system attribute (for example, middleName, and c). See Section 4.9, "Adding New Fields for Trusted Source Reconciliation" for more information on adding new fields for trusted source reconciliation.
Why cannot I see the log files corresponding to the connector operations in the computer hosting Oracle Identity Manager?
The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Therefore, all connector logs are generated on the computer hosting the Connector Server. See Section 2.1.4, "Enabling Logging" for more information.
All connector operations are performed by using the ICFINTG layer. What is the logger name used for enabling logging for ICFINTG?
The logger name used for enabling logging for ICFINTG is ORACLE.IAM.CONNECTORS.ICFCOMMON. Note that the logger name is case sensitive.
I performed trusted source and target resource reconciliation runs by specifying a value for the Filter attribute of the scheduled job. The logs of the Connector Server display information that the connector is returning the objects. However, I neither see any user records reconciled into Oracle Identity Manager nor any logs on Oracle Identity Manager. What is wrong here?
When you perform a reconciliation run by specifying a value for the Filter attribute (in other words, when you perform limited reconciliation), the connector converts the filter syntax to the LDAP filter syntax, and then searches for records that match the filter criteria. Note that the search at this point is a case-insensitive search.
The connector returns the records retrieved by the search to ICF. Before passing on these records to the reconciliation engine in Oracle Identity Manager, ICF applies the same filter criteria on the records returned by the connector. However, at this point, ICF performs a case-sensitive search. Therefore, it is possible that records are dropped by ICF and are never returned to the reconciliation engine.
The following example explains this use case:
Suppose there exist records on the target with last names (sn) "Doe" and "Doel". During reconciliation, if you specify "startsWith('sn','do')" as the value of the Filter attribute, then the connector searches for and returns to ICF all records whose Last Name starts with "do" (in this example, the connector returns records with last names Doe and Doel). Before passing on the records returned by the connector to the reconciliation engine in Oracle Identity Manager, ICF applies the same filter on the search records. However, no reconciliation event is generated as ICF performs a case-sensitive search and drops the two records.
Is Remote Manager required for provisioning and reconciling Terminal Service attributes by using this release of the Active Directory User Management Connector?
No. For the 11.1.1.x version of this connector, you must deploy the .NET Connector Server on any computer in the Active Directory domain. It is not mandatory to deploy the Connector Server on the domain controller or computer hosting the target system. Apart from this, there are no prerequisites for provisioning and reconciling Terminal Services attributes. In other words, you do not need Remote Manager or another Connector Server on the domain controller. Provisioning and reconciliation of Terminal Service attributes is the same as provisioning or reconciling any other attribute.
Is SSL mandatory for setting passwords for users in the target system? Can I set password for a user if I set the value of the UseSSL IT resource parameter to
SSL is not mandatory for setting user passwords. You can set password for a user even if you set the value of the UseSSL IT resource parameter to
If you set the value of the UseSSL parameter to
yes, then the channel between the Connector Server and target system is encrypted. In addition, secure communication is set up by using certificates.
If you set the value of the UseSSL parameter to
no, then the channel between the Connector Server and target system is encrypted by using the ADSI "Secure" mode doe communication.
For performing a password reset provisioning operation, the communication channel must be encrypted. If you are using Microsoft AD as the target system, then as discussed in the preceding paragraphs, the channel between the Connector Server and target system is encrypted. Therefore, you can perform password reset provisioning operations without configuring SSL.
If you are using Microsoft AD LDS as the target system, then the default communication channel between the Connector Server and target system is not "secure". Therefore, it is mandatory to configure SSL between the Connector Server and Microsoft AD LDS for the password reset functionality to work as expected.
Can the Active Directory User Management connector version 126.96.36.199.0 manage windows local account?
Where can I find the latest version of the Active Directory User Management Connector guide?
You can find the latest version of the Active Directory User Management Connector guide and all other ICF connector guides at the following location:
After extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory, I observed some DLLs. Does it matter whether the computer hosting the Connector Server is 32-bit or 64-bit?
No. You can use the same DLLs on both 32-bit and 64-bit computers.
I want to add users to and remove from a certain Active Directory group for provisioning and de-provisioning events, but I do not want to assign any permissions for modifying the user objects. Can I install this connector and use only user to group management part with limited permission on only group objects to change members attribute? What are the minimum permissions required for this connector?
Managing only user-group membership is possible by providing the credentials of the user who has been delegated the control (by using the Delegation of Control Wizard in the target system) for the following tasks, in the Active Directory Connector IT Resource:
Read all user information
Create, delete and manage groups
Modify the membership of a group
With these credentials, you can perform reconciliation, lookup and manage groups, but not create or update user attributes.
Can the Active Directory User Management connector manage a forest containing a single parent domain with many child domains using only one application instance or IT resource?
Yes, it is possible with a single application instance by performing the following steps:
Set the value of the SearchChildDomains entry to
Yes in the Lookup.Configuration.ActiveDirectory lookup definition. See the "SearchChildDomains" row in Section 188.8.131.52, "Lookup.Configuration.ActiveDirectory" for more information.
Ensure to specify the user name of an account that has the 'Account Operators' role on all these sub domains as the value of the DirectoryAdminName parameter of the IT resource.
Should the DirectoryAdminName parameter of the IT resource contain the distinguished name of the user?
No. You must use only the following format to specify a value for this parameter:
See the "DirectoryAdminName" row of Table 2-3, "Parameters of the Active Directory IT Resource for the Target System" for more information.
Any user deleted on the target system will be stored in the DeletedObjects container. Can I expect the same behavior if I use the Active Directory User Management connector?
Can a single Connector Server be used to deploy the Active Directory User Management connector bundle and Exchange connector bundle?
Yes. A single Connector Server can both the Active Directory User Management and Exchange connector bundles. While deploying the Exchange connector, ensure not to replace the existing ActiveDirectory.Connector.dll file on the Connector Server, if any patch was applied on the Active Directory User Management connector.
What happens when the computer (specified as the value of the LDAPHostName IT resource parameter) becomes unavailable during automatic provisioning? How to configure the connector to be compatible with high availability (HA) target system environments?
When the computer (specified as the value of the LDAPHostName IT resource parameter) becomes unavailable, the connector performs in one of the following manners:
If a value has been specified for the BDCHostNames IT resource parameter, then the connector tries connect to any of the backup domain controllers mentioned in the BDCHostNames parameter. You can configure the connector to be compatible with HA target systems environments by specifying a value for the BDCHostNames IT resource parameter.
If no value has been specified for the LDAPHostName and BDCHostName IT resource parameters, then the connector connects to any of the domain controllers available in the same domain. This is called serverless bind.
What happens when the Connector Server specified in the Active Directory IT resource becomes unavailable?
If the Connector Server is not configured for HA and it becomes unavailable, then the "connection refused" error is encountered.
To configure the Connector Server for HA, see the "Configuring Connector Load Balancer" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Will there be an issue if I specify a value for the ADLDSPort parameter while using Microsoft Active Directory as a target system?
No. This is because the connector first checks for the value of the isADLDS parameter. If the value of the isADLDS parameter is
yes, then the connector uses the value of the ADLDSPort parameter. However, Oracle recommends not to specify a value for ADLDSPort parameter if you are using Microsoft Active Directory as the target system.
Can I perform user provisioning operations without configuring SSL between Oracle Identity Manager and Microsoft Active Directory? In addition, is the presence of the SSL certificate of Microsoft Active Directory required in both Oracle Identity Manager and the connector to perform all provisioning operations including password changes?
If you are using Microsoft Active Directory as the target system, then SSL is not mandatory. The Active Directory User Management connector uses ADSI secure mode for all provisioning operations, including password change provisioning operations. Therefore, password change provisioning operations can be handled without configuring SSL between Oracle Identity Manager and Microsoft Active Directory. However, if you are using AD LDS as the target system, then SSL is mandatory to perform password change provisioning operations.
Will changes in AD groups for a user be reconciled during incremental reconciliation?
No. Group membership changes are not reconciled during incremental reconciliation. This is a target system limitation.
Explain appropriate use of the SyncDomaincontroller and SyncGlobalCatalog parameters of the IT resource.
The SyncDomaincontroller and SyncGlobalCatalog IT resource parameters are used only during reconciliation. If reconciliation must be performed against a domain controller, then the SynDomainController parameter is used.
If reconciliation must be performed against the global catalog server, then the SyncGlobalCatalog parameter is used. The following are the steps to be performed for using these parameters:
Set the SearchChildDomain entry in the Lookup.Configuration.ActiveDirectory lookup definition to
Enter the global catalog server host name as the value of the SyncGlobalCatalog IT resource parameter.
See Section 4.12, "Enabling Reconciliation and Provisioning Operations Across Multiple Domains" for more information.
What are the minimum permissions to be assigned to a user to fetch deleted user records from the target system?
By default the service account with the Account Operators role, does not have permission to read information from the Delete Objects container. See Section 184.108.40.206, "Assigning Permissions to Perform Delete User Reconciliation Runs" for more information.
Where do I find the log files for connector installation?
You find the log files for connector installation, Oracle Identity Manager server log and diagnostic log, in the following location:
How to create users in a specific OU in the target system?
You can create users in a specific OU in the target system, during provisioning, by selecting a value from the Organization Name lookup field on the AD User Form page.
When a group or an OU is created in the target system, will their parent organization be displayed in Oracle Identity Manager?
When a group or an OU is created in the target system, its parent organization is not displayed in Oracle Identity Manager. Parent organizations must be reconciled separately. However, the organization hierarchy will not be maintained. Parent organizations can be reconciled by running the Active Directory Organization Recon scheduled job.
Will a new group or OU be created in Oracle Identity Manager if I rename a group or an OU in the target system?
What certificate must be exported while configuring SSL between Oracle Identity Manager and the Connector Server?
While configuring SSL between Oracle Identity Manager and the Connector Server, export the SSL certificate (.cer file) from the computer hosting the Connector Server machine and add it to a new certificate store on the same computer. Note that the new certificate store must contain only one certificate. After configuring the details of the new certificate store in the ConnectorServer.exe.Config file, copy the exported certificate to the machine on which Oracle Identity Manager is running. Add the certificate to Oracle Identity Manager JDK store and Oracle WebLogic keystore. See Section 2.3.3, "Configuring SSL for Microsoft Active Directory and Microsoft AD LDS" for more information.
Is it correct that all traffic from Oracle Identity Manager to the target system passes through the Connector Server and there is no need to open firewall ports for direct access anymore?
Yes, this is correct.
What protocol is used for communication between Oracle Identity Manager and the target system?
TCP protocol is used for communication between Oracle Identity Manager and the target system.
Section 1.4, "Connector Architecture" states the default communication between the .NET Connector Server and target system is "secure." How is this achieved?
This connector uses the ADSI API that provides an option for specifying the type of authentication to use. See the following Microsoft Developer Network page for more information:
If you set the value of the UseSSL IT resource parameter to
no, then secure authentication as discussed in the following page: