Skip Headers
Oracle® Identity Manager Connector Guide for Microsoft Active Directory User Management
Release 11.1.1

E20347-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Microsoft Active Directory or Active Directory Lightweight Directory Services (AD LDS), formerly known as Microsoft Active Directory Application Mode (ADAM), either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.

Note:

At some places in this guide, Microsoft Active Directory, Microsoft ADAM, and Microsoft AD LDS have been referred to as the target systems.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.

Note:

It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.

This chapter contains the following sections:

1.1 Certified Components

The target system can be Microsoft Active Directory or Microsoft AD LDS. Table 1-1 lists the certified components for both target systems.

Table 1-1 Certified Components

Item Requirement for Microsoft Active Directory Requirement for Microsoft AD LDS or ADAM

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later

  • Oracle Identity Manager 11g Release 2 (11.1.2.0.6) or later

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0)

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later

  • Oracle Identity Manager 11g Release 2 (11.1.2.0.6) or later

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0)

Target systems and target system host platforms

The target system can be any one of the following:

  • Microsoft Active Directory installed on Microsoft Windows Server 2003, both 32-bit and 64-bit platforms

    Note: On a Microsoft Windows 2003 server on which SP1 has not been installed, you might come across the "WILL_NOT_PERFORM" error message during the password change operation. You can access information about one of the causes of and a solution for this error on the Microsoft Knowledge Base Web site at

    http://support.microsoft.com

  • Microsoft Active Directory installed on Microsoft Windows Server 2003 R2, both 32-bit and 64-bit platforms

  • Microsoft Active Directory installed on Microsoft Windows Server 2008, both 32-bit and 64-bit platforms

  • Microsoft Active Directory installed on Microsoft Windows Server 2008 R2, both 32-bit and 64-bit platforms

  • Microsoft Active Directory installed on Microsoft Windows Server 2012, 64-bit platform

  • Microsoft Active Directory installed on Microsoft Windows Server 2012 R2, 64-bit platform

The target system can be any one of the following:

  • Microsoft Active Directory Application Mode installed on Microsoft Windows Server 2003, both 32-bit and 64-bit platforms

    Note: On a Microsoft Windows 2003 server on which SP1 has not been installed, you might come across the "WILL_NOT_PERFORM" error message during the password change operation. You can access information about one of the causes of and a solution for this error on the Microsoft Knowledge Base Web site at

    http://support.microsoft.com

  • Microsoft Active Directory Application Mode installed on Microsoft Windows Server 2003 R2, both 32-bit and 64-bit platforms

  • Microsoft Active Directory Lightweight Directory Services installed on Microsoft Windows Server 2008, both 32-bit and 64-bit platforms

  • Microsoft Active Directory Lightweight Directory Services installed on Microsoft Windows Server 2008 R2, both 32-bit and 64-bit platforms

  • Microsoft Active Directory Lightweight Directory Services installed on Microsoft Windows Server 2012, 64-bit platform

  • Microsoft Active Directory Lightweight Directory Services installed on Microsoft Windows Server 2012 R2, 64-bit platform

Connector Server

1.2.0.6195

1.2.0.6195

Other software

(Software used for establishing or securing communication between Oracle Identity Manager and target system.)

Certificate Services

IIS Web Server

Certificate Services

IIS Web Server

Note: You must configure SSL for the connector to perform all connector operations as expected.


1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

Note:

At some places in this section, Microsoft Active Directory User Management connector releases 9.1.0.x and 9.0.4.x have been referred to as release 9.x.

1.3 Certified Languages

The connector supports the following languages:

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about supported special characters

1.4 Connector Architecture

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

The Microsoft Active Directory User Management connector is built on top of System.DirectoryServices, a collection of classes managed by .NET that makes using Microsoft Active Directory easy and convenient. In the .NET Framework, classes for managing directory objects are contained within the System.DirectoryServices namespace. The classes in System.DirectoryServices wrap Active Directory Services Interfaces (ADSI) functionality.

ADSI is a built-in component of Microsoft Windows and shipped with different providers to access directories such as WinNT for local account management, NDS for accessing Novell eDirectory (formally known as Novell Directory Services), and LDAP for accessing any directory that supports Lightweight Directory Access Protocol (LDAP) v3. This connector uses the LDAP provider to access Microsoft Active Directory.

The earlier version of this connector represented a high-level connector with many configuration settings and lookup definitions that were used to customize the provisioning process. In addition, using SSL certificate for securing communication between Oracle Identity Manager and the target system was mandatory. In contrast, the current version of the connector provides low-level operations by using the Connector Framework and the consumer application is responsible for setting up the provisioning process. By using the internal mechanism of ADSI and the .NET Framework, the default communication between the .NET Connector Server and Microsoft Active Directory is "secure." However, if you are using Microsoft AD LDS as the target system, then you must configure SSL between Oracle Identity Manger and the target system.

Note:

For performing password reset provisioning operations, the communication with the target system must be secure. If you are using Microsoft AD as the target system, there is no need to enable SSL between the .NET Connector Server and the target system. This is because the default communication between the .NET Connector Server and the target system is "secure."

However, in the case of Microsoft AD LDS, the default communication between the .NET Connector Server and Microsoft AD LDS is not "secure." Therefore, it is required to configure SSL between the .NET Connector Server and Microsoft AD LDS for the password reset functionality to work as expected.

As the current version of this connector provides low-level provisioning functionality, an integration code called Integrated Common Framework (ICF) Common is used.

Instead of communicating directly with the native API, ICF Common communicates with the connector framework through its API, and then calls SPI operations on a specific version of this connector. Between the Java ICF and the connector, the .NET Connector Framework resides (in the context of which the connector is running) and bridges the Java ICF and .NET connector. The connector is deployed in the .NET connector framework.

Oracle Identity Manager communicates with a .NET Connector Server over the network. The .NET Connector Server serves as a proxy to provide any authenticated application access to the current version of the connector deployed within the .NET Connector Server. Note that the Connector Server need not be on the domain controller on which the target system is running. Connector Server can be configured on any machine in the Microsoft Active Directory domain.

The Microsoft Active Directory User Management connector is a .NET connector that supports provisioning to and reconciliation from Microsoft Windows servers running, Microsoft Active Directory Domain Services (AD DS) and Microsoft Active Directory Lightweight Directory Services (AD LDS).

The Microsoft Active Directory User Management connector is implemented using the ICF. The ICF provides a container that separates the connector bundle from the application (for example, Oracle Identity Manager or Oracle Waveset). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager. Therefore, you need not configure or modify the ICF.

See Also:

The "Understanding the Identity Connector Framework" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the ICF

The connector can be configured to run in one of the following modes:

Password Synchronization

This connector cannot propagate password changes from Microsoft Active Directory to Oracle Identity Manager. To implement this feature, you must install the Microsoft Active Directory password synchronization connector. See Oracle Identity Manager Connector Guide for Microsoft Active Directory Password Synchronization for more information. That guide describes scenarios in which both the password synchronization connector and this connector are deployed.

1.5 Features of the Connector

The following are features of the connector:

1.5.1 Dependent Lookup Fields

If you have multiple installations of the target system, the entries in lookup definitions (used as an input source for lookup fields during provisioning) can be linked to the target system installation from which they are copied. Therefore, during a provisioning operation, you can select lookup field values that are specific to the target system installation on which the provisioning operation is being performed.

See Section 1.6.1, "Lookup Definitions Synchronized with the Target System" for more information about the format in which data is stored in dependent lookup definitions.

1.5.2 Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled. In incremental reconciliation, user accounts that have been added or modified since the last reconciliation run are fetched into Oracle Identity Manager.

You can perform a full reconciliation run at any time.

See Section 3.3.1, "Full Reconciliation and Incremental Reconciliation" for more information.

1.5.3 Limited Reconciliation

You can set a reconciliation filter as the value of the Filter attribute of the user reconciliation scheduled job. This filter specifies the subset of added and modified target system records that must be reconciled.

See Section 3.3.2, "Limited Reconciliation" for more information.

1.5.4 Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.3, "Batched Reconciliation" for more information.

1.5.5 Reconciliation of Deleted User Records

You can configure the connector for reconciliation of deleted user records. In target resource mode, if a user record is deleted on the target system, then the corresponding AD User resource is revoked from the OIM User. In trusted source mode, if a user record is deleted on the target system, then the corresponding OIM User is deleted.

See Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records" for more information about scheduled jobs used for reconciling deleted user records.

1.5.6 Reconciliation of Deleted Groups

You can configure the connector for reconciliation of groups deleted in the target system. In target resource mode, if a group is deleted on the target system, then the corresponding group is revoked from Oracle Identity Manager.

See Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records" for more information about scheduled jobs used for reconciling deleted groups.

1.5.7 Transformation and Validation of Account Data

You can configure validation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation. The following sections provide more information:

1.5.8 Support for Connector Server

The Active Directory User Management connector is written using Microsoft .NET. A .NET environment is required for the execution of this connector code. Therefore, it is mandatory for this connector to be deployed on the .NET Connector Server shipped along with the connector package. The Active Directory User Management connector operates in the context of the .NET Connector Framework, which in turn requires an application to execute. Therefore, by default, Oracle provides the .NET Connector Server to run the Active Directory User Management connector.

Connector Server is a component provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. In other words, a connector server enables remote execution of an Oracle Identity Manager connector.

See the following sections for more information:

1.5.9 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.

See Section 2.3.1.4, "Setting Up the Lookup Definition for Connection Pooling" for more information.

1.5.10 Support for Connector Operations Across Domains

The connector supports reconciliation and provisioning operations across domains. This means that, for example, you can assign a user in one domain to a group in another domain. You can also reconcile a user record even if the user and the user's manager belong to different domains.

See Section 4.12, "Enabling Reconciliation and Provisioning Operations Across Multiple Domains" for more information.

1.5.11 Support for Connector Operations on User-Defined Object Classes

The connector can be configured to reconcile from and provision to user-defined object classes and their attributes. By default, the target system uses the user object class. The connector can be configured to accommodate user-defined object classes that you define on the target system.

See Section 4.6, "Configuring the Connector for User-Defined Object Classes" for more information.

1.5.12 Support for Adding Dynamic Auxiliary Object Classes

The connector provides support for adding dynamic auxiliary object classes. In addition, you can add the attributes of these dynamic auxiliary object classes for reconciliation and provisioning.

See Section 4.7, "Adding Dynamic Auxiliary Object Classes and Their Attributes to Users" for more information.

1.5.13 Support for Adding the Group Name (pre-Windows 2000) Attribute

During group provisioning, by default, the value that you specify for the Group Name field on the OIM process form, is entered as the value of the Group Name and Group Name (pre-Windows 2000) attributes of the target system. If you want to specify different values for the Group Name and Group Name (pre-Windows 2000) attributes in the target system, then you must create the Group Name (pre-Windows 2000) field on the OIM process form.

See Section 4.8, "Adding the Group Name (pre-Windows 2000) Attribute" for more information.

1.5.14 Support for Provisioning Groups of the Security Group - Universal Group Type

The connector provides support for provisioning groups of the type Security Group - Universal. See Section 4.16, "Configuring the Connector for Provisioning Groups of the Security Group - Universal Group Type" for more information.

1.5.15 Support for Provisioning and Reconciling Custom Object Categories

If you are using AD LDS as the target system, then add custom object categories for provisioning and reconciliation. See Section 4.17, "Configuring the Connector for Provisioning and Reconciling Custom Object Categories" for more information.

1.5.16 Support for Scripting Languages

The connector supports any scripting language that has a script executor in the ICF. Currently, there are two script executor implementations: a Windows shell script executor (batch scripts) and a Boo script executor. Although Visual Basic scripts are not directly supported, a Visual Basic script can be called using a shell script.

See Section 3.7, "Configuring Action Scripts" for more information.

1.5.17 Support for High-Availability Configuration of the Target System

The connector can be configured for compatibility with high-availability target system environments. It can read information about backup target system hosts from the BDCHostNames parameter of the Active Directory IT resource and apply this information when it is unable to connect to the primary host.

See Table 2-3 of Section 2.2.1.2, "Configuring the IT Resource for the Target System" for more information about the BDCHostNames parameter of the IT resource.

1.6 Lookup Definitions Used During Reconciliation and Provisioning

Lookup definitions used during reconciliation and provisioning can be divided into the following categories:

1.6.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Organizational Unit lookup field to select an organizational unit from the list of organizational units in the lookup field. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following is the format in which data is stored after lookup definition synchronization:

Code Key: <IT_RESOURCE_KEY>~<LOOKUP_FIELD_VALUE>

In this format:

  • IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.

  • LOOKUP_FIELD_VALUE is the connector attribute value defined for code.

Sample value: 1~OU=TestOrg8,DC=matrix,DC=com

Decode: <IT_RESOURCE_NAME>~<LOOKUP_FIELD_VALUE>

In this format:

  • IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.

  • LOOKUP_FIELD_VALUE is the connector attribute value defined for decode.

Sample value: Active Directory~OU=TestOrg8,DC=matrix,DC=com

For example, in the Lookup.ActiveDirectory.Groups lookup definition, values will be stored in the following format:

Code Key: <IT_RESOURCE_KEY>~<DISTINGUISHED_NAME>

Decode: <IT_RESOURCE_NAME>~<DISTINGUISHED_NAME>

During a provisioning operation, lookup fields are populated with values corresponding to the target system that you select for the operation.

The "Lookup Definition" column of Table 1-2 lists the Oracle Identity Manager lookup definitions that correspond to target system lookup fields listed in the "Target System Field" column of the table.

Table 1-2 Lookup Definitions Synchronized with the Target System

Lookup Definition Target System Field Scheduled Task for Synchronization

Lookup.ActiveDirectory.Groups

The distinguishedName field of groups

You use the Active Directory Group Lookup Recon scheduled job to synchronize this lookup definition. This scheduled job is discussed in Section 3.2, "Scheduled Jobs for Lookup Field Synchronization."

Lookup.ActiveDirectory.OrganizationalUnits

The distinguishedName field of organizations

You use the Active Directory Organization Lookup Recon scheduled job to synchronize this lookup definition. This scheduled job is discussed in Section 3.2, "Scheduled Jobs for Lookup Field Synchronization."


1.6.2 Preconfigured Lookup Definitions

This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:

1.6.2.1 Lookup.Configuration.ActiveDirectory

The Lookup.Configuration.ActiveDirectory lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.

Table 1-3 lists the default entries in this lookup definition.

Note:

Table 1-3 Entries in the Lookup.Configuration.ActiveDirectory Lookup Definition

Code Key Decode Description

ADLDSLockoutThreshold

5

This entry holds the number of unsuccessful login attempts after which a user's account must be locked.

Note: This entry is applicable only for the Microsoft AD LDS target system.

AlwaysUseObjectGUID

yes

This entry specifies whether the GUID of an object must be used for searching records during reconciliation.

Note: Do not change the value of this entry.

Bundle Name

ActiveDirectory.Connector

This entry holds the name of the connector bundle package. Do not modify this entry.

Bundle Version

1.1.0.6380

This entry holds the version of the connector bundle class. Do not modify this entry.

Connector Name

Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector

This entry holds the name of the connector class. Do not modify this entry.

CreateHomeDirectory

yes

This entry holds information whether a home directory must be created.

Enter yes if you want the connector to create a home directory for user accounts. Otherwise, enter no.

Group Configuration Lookup

Lookup.ActiveDirectory.GM.Configuration

This entry holds the name of the lookup definition that contains group-specific configuration properties. Do not modify this entry..

NativeGuidConvention

true

This entry specifies whether GUID is stored in its native format. This entry is used by the connector internally.

Note: Do not change the value of this entry.

ObjectClass

User

This entry holds the name of the object class to which newly created users on the target system are assigned.

If you create a custom object class, then specify the name of that object class. For example, InetOrgPerson.

organizationalUnit Configuration Lookup

Lookup.ActiveDirectory.OM.Configuration

This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units.

Do not modify this entry.

PageSize

1000

This entry holds the page size of records fetched in each call to the target system during a reconciliation run.

Paging splits the entire result set of a query into smaller subsets called, appropriately enough, pages.

In general, it is recommended to set this value to the maximum page size for simple searches. By setting the page size to the maximum value, you can minimize the network roundtrips necessary to retrieve each page, which tends to be the more expensive operation for simple searches.

While it is possible to specify a PageSize greater than the MaxPageSize of the target system, the Active Directory server will ignore it and use the MaxPageSize instead. No exception will be generated in this case.

In some cases, you might need to specify a smaller page size to avoid timeouts or overtaxing the server. Some queries are especially expensive, so limiting the number of results in a single page can help avoid this.

Recon Date Format

yyyyMMddHHmmss.0Z

This entry holds the format in which the last reconciliation run timing must be displayed.

SearchChildDomains

no

This entry determines the search scope of users, groups, or organizational units within the domain name specified as the value of the DomainName attribute.

Enter no if you want the connector to search for users, groups, or organizational units only from the specified domain. The domain name is specified as the value of the DomainName parameter of the IT resource. Note that records are fetched from the domain controller specified as the value of the SyncDomainController parameter of the IT Resource.

Enter yes if you want the connector to search for users, groups, or organizational units from the specified domain and its child domains. In this case, the global catalog server is used for fetching records. Note that you specify the global catalog server as the value of the SyncGlobalCatalogServer parameter of the IT resource.

Note: If you enter yes, then do not enter a value for LDAPHostName parameter of the IT resource. The connector will automatically find the right domain controller to fetch complete user information after obtaining the distinguished name from the global catalog server.

UseDeleteTreeForAccounts

false

This entry specifies whether the associated leaf nodes of an __ACCOUNT__ object to be deleted are to be removed along with the object. If the value of this entry is not true and the __ACCOUNT__ object to be deleted has leaf nodes, then the operation fails and an error message is displayed.

If you set the value of this entry to false, then the __ACCOUNT__ objects are removed from the child list of its parent only. Otherwise, regardless of the object class, the whole tree is removed recursively.

User Configuration Lookup

Lookup.ActiveDirectory.UM.Configuration

This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry.


1.6.2.2 Lookup.Configuration.ActiveDirectory.Trusted

The Lookup.Configuration.ActiveDirectory.Trusted lookup definition holds connector configuration entries that are used during trusted source reconciliation.

Table 1-4 lists the default entries in this lookup definition.

Table 1-4 Entries in the Lookup.Configuration.ActiveDirectory.Trusted Lookup Definition

Code Key Decode Description

ADLDSLockoutThreshold

5

This entry holds the number of unsuccessful login attempts after which a user's account must be locked.

Note: This entry is applicable only for the Microsoft AD LDS target system.

AlwaysUseObjectGUID

yes

This entry specifies whether the GUID of an object must be used for searching records during reconciliation.

If the object class is of a non-account type and if you set the value of this entry to no, then the DN of the non-account object is used as the UID instead of GUID.

Bundle Name

ActiveDirectory.Connector

This entry holds the name of the connector bundle package. Do not modify this entry.

Bundle Version

1.1.0.6380

This entry holds the version of the connector bundle class. Do not modify this entry.

Connector Name

Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector

This entry holds the name of the connector class. Do not modify this entry.

MaintainHierarchy

no

Enter yes to specify that you want to maintain in Oracle Identity Manager the same organization hierarchy that is maintained on the target system. Otherwise, enter no.

NativeGuidConvention

true

This entry specifies whether GUID is stored in its native format. This entry is used by the connector internally.

Note: Do not change the value of this entry.

ObjectClass

User

This entry holds the name of the object class to which newly created users on the target system are assigned.

If you create a custom object class, then specify the name of that object class. For example, InetOrgPerson.

organizationalUnit Configuration Lookup

Lookup.ActiveDirectory.OM.Configuration.Trusted

This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units.

Do not modify this entry.

PageSize

1000

This entry holds the page size of records fetched in each call to the target system during a reconciliation run.

Paging splits the entire result set of a query into smaller subsets called, appropriately enough, pages.

In general, it is recommended to set this value to the maximum page size for simple searches. By setting the page size to the maximum value, you can minimize the network roundtrips necessary to retrieve each page, which tends to be the more expensive operation for simple searches.

While it is possible to specify a PageSize greater than the MaxPageSize of the target system, the Active Directory server will ignore it and use the MaxPageSize instead. No exception will be generated in this case.

In some cases, you might need to specify a smaller page size to avoid timeouts or overtaxing the server. Some queries are especially expensive, so limiting the number of results in a single page can help avoid this.

Recon Date Format

yyyyMMddHHmmss.0Z

This entry holds the format in which the last reconciliation run timing must be displayed.

SearchChildDomains

no

This entry determines the search scope of users, groups, or organizational units within the domain name specified as the value of the DomainName attribute.

Enter no if you want the connector to search for users, groups, or organizational units only from the specified domain. The domain name is specified as the value of the DomainName attribute. Note that records are fetched from the domain controller specified as the value of the SyncDomainController parameter of the IT Resource.

Enter yes if you want the connector to search for users, groups, or organizational units from the specified domain and its child domains. In this case, the global catalog server is used for fetching records. Note that you specify the global catalog server as the value of the SyncGlobalCatalogServer parameter of the IT resource.

User Configuration Lookup

Lookup.ActiveDirectory.UM.Configuration.Trusted

This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry.


1.6.2.3 Preconfigured Lookup Definitions for User Operations

This section discusses the following lookup definitions for user operations:

1.6.2.3.1 Lookup.ActiveDirectory.UM.Configuration

The Lookup.ActiveDirectory.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.

Table 1-5 lists the default entries in this lookup definition.

Table 1-5 Entries in the Lookup.ActiveDirectory.UM.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.ActiveDirectory.UM.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Section 1.6.2.3.3, "Lookup.ActiveDirectory.UM.ProvAttrMap" for more information about this lookup definition.

Provisioning Validation Lookup

Lookup.ActiveDirectory.UM.ProvValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.UM.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Section 1.6.2.3.4, "Lookup.ActiveDirectory.UM.ReconAttrMap" for more information about this lookup definition.

Recon Transformation Lookup

Lookup.ActiveDirectory.UM.ReconTransformation

This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.

Recon Validation Lookup

Lookup.ActiveDirectory.UM.ReconValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.


1.6.2.3.2 Lookup.ActiveDirectory.UM.Configuration.Trusted

The Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during trusted source user reconciliation runs.

Table 1-6 lists the default entry in this lookup definition.

Table 1-6 Entries in the Lookup.ActiveDirectory.UM.Configuration.Trusted Lookup Definition

Code Key Decode Description

Recon Attribute Defaults

Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted.Defaults

This entry holds the name of the lookup definition that maps reconciliation fields to their default values.

See Section 1.6.2.3.9, "Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted.Defaults" for more information.

Recon Attribute Map

Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Section 1.6.2.3.4, "Lookup.ActiveDirectory.UM.ReconAttrMap" for more information about this lookup definition.


1.6.2.3.3 Lookup.ActiveDirectory.UM.ProvAttrMap

The Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured. Table 1-15 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.3.4 Lookup.ActiveDirectory.UM.ReconAttrMap

The Lookup.ActiveDirectory.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured. Table 1-10 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.3.5 Lookup.ActiveDirectory.UM.ProvValidation

The Lookup.ActiveDirectory.UM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

1.6.2.3.6 Lookup.ActiveDirectory.UM.ReconTransformation

The Lookup.ActiveDirectory.UM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.

1.6.2.3.7 Lookup.ActiveDirectory.UM.ReconValidation

The Lookup.ActiveDirectory.UM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

1.6.2.3.8 Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted

The Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during trusted source user reconciliation runs. This lookup definition is preconfigured. Table 1-19 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.3.9 Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted.Defaults

The Lookup.ActiveDirectory.UM.ReconAttrMap.TrustedDefaults lookup definition holds mappings between reconciliation fields and their default values. This lookup definition is used when there is a mandatory field on the OIM User form, but no corresponding field in the target system from which values can be fetched during trusted source reconciliation.

This lookup definition is empty by default. If you add entries to this lookup definition, the Code Key and Decode values must be in the following format:

  • Code Key: Name of the reconciliation field of the AD User resource object

  • Decode: Corresponding default value to be displayed

For example, assume a field named Preferred Language is a mandatory field on the OIM User form. Suppose the target system contains no field that stores information about the preferred language of communication for a user account. During reconciliation, no value for the Preferred Language field is fetched from the target system. However, as the Preferred Language field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Preferred Language and Decode value set to English. This implies that the value of the Preferred Language field on the OIM User form displays English for all user accounts reconciled from the target system.

1.6.2.4 Preconfigured Lookup Definitions for Group Operations

This section discussed the following lookup definitions for group operations:

1.6.2.4.1 Lookup.ActiveDirectory.GM.Configuration

The Lookup.ActiveDirectory.GM.Configuration lookup definition holds configuration entries that are specific to the group object type. This lookup definition is used during group management operations when your target system is configured as a target resource.

Table 1-5 lists the default entries in this lookup definition.

Table 1-7 Entries in the Lookup.ActiveDirectory.GM.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.ActiveDirectory.GM.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Section 1.6.2.4.2, "Lookup.ActiveDirectory.GM.ProvAttrMap" for more information about this lookup definition.

Provisioning Validation Lookup

Lookup.ActiveDirectory.GM.ProvValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

Recon Attribute Defaults

Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults

This entry holds the name of the lookup definition that maps fields on the group form and their default values. See Section 1.6.2.4.7, "Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults" for more information about this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.GM.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Section 1.6.2.4.3, "Lookup.ActiveDirectory.GM.ReconAttrMap" for more information about this lookup definition.

Recon Transformation Lookup

Lookup.ActiveDirectory.GM.ReconTransformation

This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.

Recon Validation Lookup

Lookup.ActiveDirectory.GM.ReconValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.


1.6.2.4.2 Lookup.ActiveDirectory.GM.ProvAttrMap

The Lookup.ActiveDirectory.GM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during group provisioning operations. This lookup definition is preconfigured. Table 1-17 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.4.3 Lookup.ActiveDirectory.GM.ReconAttrMap

The Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during reconciliation. This lookup definition is preconfigured. Table 1-11 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.4.4 Lookup.ActiveDirectory.GM.ProvValidation

The Lookup.ActiveDirectory.GM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during group provisioning operations. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

1.6.2.4.5 Lookup.ActiveDirectory.GM.ReconTransformation

The Lookup.ActiveDirectory.GM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.

1.6.2.4.6 Lookup.ActiveDirectory.GM.ReconValidation

The Lookup.ActiveDirectory.GM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during group reconciliation. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

1.6.2.4.7 Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults

The Lookup.ActiveDirectory.GM.ReconAttrMap.Defaults lookup definition holds mappings between reconciliation fields (for group) and their default values. This lookup definition is used when there is a mandatory field on the group form, but no corresponding field in the target system from which values can be fetched during group reconciliation.

This lookup definition is empty by default. If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:

Code Key: Name of the reconciliation field of the AD Group resource object

Decode: Corresponding default value to be displayed

For example, assume a field named Group ID is a mandatory field on the group form. Suppose the target system contains no field that stores information about the group ID for an account. During reconciliation, no value for the Group ID field is fetched from the target system. However, as the Group ID field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Group ID and Decode value set to GRP1223. This implies that the value of the Group ID field on the group form displays GRP1223 for all accounts reconciled from the target system.

1.6.2.4.8 Lookup.ActiveDirectory.GroupTypes

The Lookup.ActiveDirectory.GroupTypes lookup definition holds information about group types that you can select for the group that you create through Oracle Identity Manager. The following is the format of the Code Key and Decode values in this lookup definition:

Code Key: Group type code on the target system

Decode: Corresponding group type to be displayed in the Group Type lookup field of the OIM User form

1.6.2.5 Preconfigured Lookup Definitions for Organizational Unit Operations

This section discusses the following lookup definitions for organizational unit operations:

1.6.2.5.1 Lookup.ActiveDirectory.OM.Configuration

The Lookup.ActiveDirectory.OM.Configuration lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during organizational unit management operations when your target system is configured as a target resource.

Table 1-5 lists the default entries in this lookup definition.

Table 1-8 Entries in the Lookup.ActiveDirectory.OM.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.ActiveDirectory.OM.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Section 1.6.2.5.3, "Lookup.ActiveDirectory.OM.ProvAttrMap" for more information about this lookup definition.

Provisioning Validation Lookup

Lookup.ActiveDirectory.OM.ProvValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

Recon Attribute Defaults

Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults

This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values.

See Section 1.6.2.5.9, "Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults" for more information about this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.OM.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Section 1.6.2.5.4, "Lookup.ActiveDirectory.OM.ReconAttrMap" for more information about this lookup definition.

Recon Transformation Lookup

Lookup.ActiveDirectory.OM.ReconTransformation

This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.

Recon Validation Lookup

Lookup.ActiveDirectory.OM.ReconValidation

This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.


1.6.2.5.2 Lookup.ActiveDirectory.OM.Configuration.Trusted

The Lookup.ActiveDirectory.OM.Configuration.Trusted lookup definition holds configuration entries that are specific to the organizational unit object type. This lookup definition is used during trusted source reconciliation runs for organizational units.

Table 1-5 lists the default entries in this lookup definition.

Table 1-9 Entries in the Lookup.ActiveDirectory.OM.Configuration.Trusted Lookup Definition

Code Key Decode Description

Recon Attribute Defaults

Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted.Defaults

This entry holds the name of the lookup definition that maps fields on the organizational unit form and their default values.

See Section 1.6.2.5.9, "Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults" for more information about this lookup definition.

Recon Attribute Map

Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Section 1.6.2.3.4, "Lookup.ActiveDirectory.UM.ReconAttrMap" for more information about this lookup definition.


1.6.2.5.3 Lookup.ActiveDirectory.OM.ProvAttrMap

The Lookup.ActiveDirectory.OM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during provisioning. This lookup definition is preconfigured. Table 1-18 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.5.4 Lookup.ActiveDirectory.OM.ReconAttrMap

The Lookup.ActiveDirectory.OM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during reconciliation of organizational units. This lookup definition is preconfigured. Table 1-12 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.5.5 Lookup.ActiveDirectory.OM.ProvValidation

The Lookup.ActiveDirectory.OM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations for organizational units. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

1.6.2.5.6 Lookup.ActiveDirectory.OM.ReconTransformation

The Lookup.ActiveDirectory.OM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during reconciliation of organizational units. See Section 4.10, "Configuring Transformation of Data During Reconciliation" for more information about adding entries in this lookup definition.

1.6.2.5.7 Lookup.ActiveDirectory.OM.ReconValidation

The Lookup.ActiveDirectory.OM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Section 4.11, "Configuring Validation of Data During Reconciliation and Provisioning" for more information about adding entries in this lookup definition.

1.6.2.5.8 Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted

The Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during trusted source reconciliation runs for organizational units. This lookup definition is preconfigured. Table 1-20 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.5.9 Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults

The Lookup.ActiveDirectory.OM.ReconAttrMap.Defaults lookup definition holds mappings between fields on the organizational unit form and their default values. This lookup definition is used when there is a mandatory field on the organizational unit form, but no corresponding field in the target system from which values can be fetched during organizational unit reconciliation.

This lookup definition is empty by default. If you add entries to this lookup definition, then the Code Key and Decode values must be in the following format:

Code Key: Name of the reconciliation field of the AD Organizational Unit resource object

Decode: Corresponding default value to be displayed

For example, assume a field named Organization ID is a mandatory field on the organizational unit form. Suppose the target system contains no field that stores information about the organization ID for an account. During reconciliation, no value for the Organization ID field is fetched from the target system. However, as the Organization ID field cannot be left empty, you must specify a value for this field. Therefore, create an entry in this lookup definition with the Code Key value set to Organization ID and Decode value set to ORG1332. This implies that the value of the Organization ID field on the organizational unit form displays ORG1332 for all accounts reconciled from the target system.

1.6.2.6 Preconfigured Lookup Definitions for AD LDS

This section discusses the following lookup definitions for AD LDS:

1.6.2.6.1 Lookup.ActiveDirectoryLDS.UM.ProvAttrMap

The Lookup.ActiveDirectoryLDS.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes for AD LDS. This lookup definition is used during provisioning. This lookup definition is preconfigured.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.6.2 Lookup.ActiveDirectoryLDS.UM.ReconAttrMap

The Lookup.ActiveDirectoryLDS.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes for AD LDS. This lookup definition is used during reconciliation. This lookup definition is preconfigured.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.6.3 Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.Trusted

The Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.Trusted lookup definition holds mappings between resource object fields and target system attributes for AD LDS. This lookup definitions is used during trusted source user reconciliation runs. This lookup definition is preconfigured.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.6.4 Lookup.ActiveDirectoryLDS.GM.ProvAttrMap

The Lookup.ActiveDirectoryLDS.GM.ProvAttrMap lookup definition holds mappings between group process form fields and target system attributes for AD LDS. This lookup definition is used during provisioning. This lookup definition is preconfigured.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Section 4, "Extending the Functionality of the Connector" for more information.

1.6.2.6.5 Lookup.ActiveDirectoryLDS.GM.ReconAttrMap

The Lookup.ActiveDirectoryLDS.GM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes for AD LDS. This lookup definition is used during reconciliation of groups. This lookup definition is preconfigured.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Section 4, "Extending the Functionality of the Connector" for more information.

1.7 Connector Objects Used During Target Resource Reconciliation

Target resource reconciliation involves fetching data about newly created or modified accounts on the target system and using this data to add or modify resources assigned to OIM Users.

The Active Directory User Target Recon scheduled job is used to initiate a target resource reconciliation run. This scheduled task is discussed in Section 3.3.4.1, "Scheduled Jobs for Reconciliation of User Records."

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for conceptual information about reconciliation

This section discusses the following topics:

1.7.1 User Fields for Target Resource Reconciliation

The Lookup.ActiveDirectory.UM.ReconAttrMap lookup definition maps user resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.

In this lookup definition, entries are in the following format:

  • Code Key: Reconciliation field of the resource object

  • Decode: Name of the target system attribute

Table 1-10 lists the entries in this lookup definition.

Table 1-10 Entries in the Lookup.ActiveDirectory.UM.ReconAttrMap Lookup Definition

Resource Object Field Target System Field

Department

department

Full Name

displayName

Terminal Home Directory

TerminalServicesHomeDirectory

Unique Id

__UID__

Mobile

mobile

Terminal Profile Path

TerminalServicesProfilePath

Home Phone

homePhone

Company

company

Account is Locked out

__LOCK_OUT__

Middle Name

middleName

Organization Name[LOOKUP]

ad_container

IP Phone

ipPhone

Common Name

cn

State

st

Country

c

Street

streetAddress

City

l

User Principal Name

userPrincipalName

Last Name

sn

E Mail

mail

User Must Change Password At Next Logon

__PASSWORD_EXPIRED__

Fax

facsimileTelephoneNumber

Homedirectory

homeDirectory

Manager Name

manager

Password Never Expires

PasswordNeverExpires

Terminal Allow Login

AllowLogon

First Name

givenName

Pager

pager

Account Expiration Date[DATE]

__PASSWORD_EXPIRATION_DATE__

groups~Group Name[LOOKUP]

__GROUPS__

Office

physicalDeliveryofficeName

Telephone Number

telephoneNumber

Post Office Box

postOfficeBox

User Id

sAMAccountName

Title

title

Status

__ENABLE__


1.7.2 Group Fields for Reconciliation

The Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition maps user resource object fields and target system attributes. This lookup definition is used for performing target resource group reconciliation runs.

Table 1-11 lists the group fields of the target system from which values are fetched during reconciliation. The Active Directory Group Recon scheduled job is used to reconcile group data.

Table 1-11 Entries in the Lookup.ActiveDirectory.GM.ReconAttrMap

Group Field on Oracle Identity Manager Microsoft Active Directory Field

Display Name

displayName

Group name

sAMAccountName

Group Type

groupType

OIM Org Name

sAMAccountName

Organization Name[LOOKUP]

ad_container

Org Name

sAMAccountName

Org Type

OIM Organization Type

Unique Id

__UID__


1.7.3 Organizational Unit Fields for Reconciliation

The Lookup.ActiveDirectory.OM.ReconAttrMap lookup definition maps organization resource object fields and target system attributes. This lookup definition is used for performing target resource reconciliation runs for organizational units

Table 1-12 lists the organizational unit fields of the target system from which values are fetched during reconciliation.

Table 1-12 Entries in the Lookup.ActiveDIrectory.OM.ReconAttrMap

Organization Field on Oracle Identity Manager Microsoft Active Directory Field

Container[LOOKUP]

ad_container

Display Name

ou

Unique Id

__UID__


1.7.4 Reconciliation Rules for Target Resource Reconciliation

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for generic information about reconciliation matching and action rules

The following is the process matching rule:

Rule name: AD User Target Recon Rule

Rule element: (ObjectGUID Equals Unique Id) OR (User Login Equals User Id)

In the first rule component:

  • ObjectGUID is the objectGUID of the resource assigned to the OIM User.

  • Unique Id is the ID that uniquely identifies a user account. Unique Id is mapped to UID, which is the GUID value of the user account in the target system

In the second rule component:

  • User Login is the User ID field on the OIM User form.

  • User Id is the sAMAccountName field of Microsoft Active Directory or the userPrincipalName field of Microsoft ADAM.

This rule supports the following scenarios:

  • You can provision multiple Microsoft Active Directory resources to the same OIM User, either on Oracle Identity Manager or directly on the target system.

  • You can change the user ID of a user on the target system.

This is illustrated by the following use cases:

  • Use case 1: You provision an AD account for an OIM User, and you also create an account for the user directly on the target system.

    When the first rule condition is applied, no match is found. Then, the second rule condition is applied and it is determined that a second account has been given to the user on the target system. Details of this second account are associated with the OIM User by the reconciliation engine.

  • Use case 2: An OIM User has an AD account. You then change the user ID of the user on the target system.

    During the next reconciliation run, application of the first rule condition helps match the resource with the record.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for Target Resource Recon Rule. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

    Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.7.5 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-13 lists the action rules for target resource reconciliation.

Table 1-13 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Authorizer With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the AD User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.8 Connector Objects Used During Provisioning

Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for conceptual information about provisioning

This section discusses the following topics:

1.8.1 Provisioning Functions

Table 1-14 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for conceptual information about provisioning

Table 1-14 Provisioning Functions

Function Adapter

User Provisioning Functions

 

Create a user account

ADIDC Create Object

Delete a user account

ADIDC Delete Object

Enable a disabled user account

ADIDC Enable User

Disable a user account

ADIDC Disable User

Update the password

ADIDC Return Text Value

Update the redirection e-mail address

ADIDC Update Attribute Value

Update the zip code

ADIDC Update Attribute Value

Update the terminal home directory

ADIDC Update Attribute Value

Update the pager

ADIDC Update Attribute Value

Update the IP phone

ADIDC Update Attribute Value

Update the first name

ADIDC Update Attribute Value

Update the title

ADIDC Update Attribute Value

Update the user account principal name

ADIDC Update Attribute Value

Update the middle name

ADIDC Update Attribute Value

Update the account expiration date

ADIDC Update Attribute Value

Update the password never expires flag

ADIDC Update Attribute Value

Update the password not required flag

ADIDC Update Attribute Value

Update organization name

ADIDC Update Attribute Value

Update the company name

ADIDC Update Attribute Value

Update the account is locked flag

ADIDC Update Attribute Value

Update the last name

ADIDC Update Attribute Value

Update the user home directory

ADIDC Update Attribute Value

Update the post office box

ADIDC Update Attribute Value

Update the terminal allow login field

ADIDC Update Attribute Value

Update the state

ADIDC Update Attribute Value

Update the mobile number

ADIDC Update Attribute Value

Update the telephone number

ADIDC Update Attribute Value

Update the street

ADIDC Update Attribute Value

Update the country

ADIDC Update Attribute Value

Update the fax

ADIDC Update Attribute Value

Update the e-mail ID

ADIDC Update Attribute Value

Update the terminal profile path

ADIDC Update Attribute Value

Update the department

ADIDC Update Attribute Value

Update the full name

ADIDC Update Attribute Value

Update home phone

ADIDC Update Attribute Value

Update the city

ADIDC Update Attribute Value

Update the manager name

ADIDC Update Attribute Value

Update the user ID

ADIDC Update Attribute Value

Update common name

ADIDC Update Attribute Value

Update the user must change password at next logon flag

ADIDC Update Attribute Value

Delete group membership

ADIDC Update Child Table Values

Create object class

ADIDC Update Child Table Values

Update group membership

ADIDC Update Child Table Values

Create group membership

ADIDC Update Child Table Values

Update object class

ADIDC Update Child Table Values

Delete object class

ADIDC Update Child Table Values

Group Provisioning Functions

 

Create group

ADIDC Create Object

Delete group

ADIDC Delete Object

Display Name Updated

ADIDC Update Attribute Value

Group Name Updated

ADIDC Update Attribute Value

Group Type Updated

ADIDC Update Attribute Value

Organization Name Updated

ADIDC Update Attribute Value

Organizational Unit Provisioning Functions

 

Create Organizational Unit

ADIDC Create Object

Display Name Updated

ADIDC Update Attribute Value

Container Updated

ADIDC Update Attribute Value

Delete Organizational Unit

ADIDC Delete Object


1.8.2 User Fields for Provisioning

The Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing user provisioning operations.

Table 1-15 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations.

Table 1-15 Entries in the Lookup.ActiveDirectory.UM.ProvAttrMap Lookup Definition

Process Form Field Target System Field

Manager Name

manager

Terminal Home Directory

TerminalServicesHomeDirectory

UD_ADUSRC~Group Name[Lookup]

__GROUPS__

Terminal Profile Path

TerminalServicesProfilePath

Account Expiration Date[DATE]

__PASSWORD_EXPIRATION_DATE__

Street

streetAddress

Zip

postalCode

Middle Name

middleName

User Must Change Password At Next Logon

__PASSWORD_EXPIRED__

Office

physicalDeliveryofficeName

Home Phone

homePhone

City

l

Account is Locked out

__LOCK_OUT__

Last Name

sn

IP Phone

ipPhone

Mobile

mobile

Telephone Number

telephoneNumber

State

st

Fax

facsimileTelephoneNumber

First Name

givenName

Password

__PASSWORD__

Full Name

displayName

Redirection Mail Id

__MAILREDIRECTION__

__NAME__

__NAME__="CN=$(Common_Name),$(Organization_Name)"

Password Not Required

PasswordNotRequired

Terminal Allow Login

AllowLogon

Country

c

User Id

sAMAccountName

Pager

pager

Organization Name[LOOKUP,IGNORE]

IGNORED

Unique Id

__UID__

E Mail

mail

Common Name[IGNORE]

IGNORED

Title

title

Company

company

Password Never Expires

PasswordNeverExpires

Department

department

User Principal Name

userPrincipalName

Homedirectory

homeDirectory

Post Office Box

postOfficeBox


Table 1-16 lists special characters that are supported in process form fields.

Table 1-16 Special Characters Supported in Process Form Fields

Name of the Character Character

ampersand

&

asterisk

*

at sign

@

backslash

\

caret

î

comma

,

dollar sign

$

double quotation mark

"

equal sign

=

exclamation point

!

hyphen

-

left brace

{

left bracket

[

left parenthesis

(

number sign

#

percent sign

%

period

.

plus sign

+

question mark

?

right brace

}

right bracket

]

right parenthesis

)

single quotation mark

'

slash

/

underscore

_


1.8.3 Group Fields for Provisioning

The Lookup.ActiveDirectory.GM.ProvAttrMap lookup definition maps user resource object fields and target system attributes. This lookup definition is used for performing group provisioning operations.

Table 1-17 lists the group fields of the target system for which you can specify or modify values during provisioning operations.

Table 1-17 Entries in the Lookup.ActiveDirectory.GM.ProvAttrMap

Group Field on Oracle Identity Manager Target System Field

__NAME__

__NAME__="CN=${Group_Name},${Organization_Name}"

Display Name

displayName

Group Name

sAMAccountName

Group Type

groupType

Organization Name[LOOKUP,IGNORE]

IGNORED

Unique Id

__UID__


1.8.4 Organizational Unit Fields for Provisioning

The Lookup.ActiveDirectory.OM.ProvAttrMap lookup definition maps organization resource object fields and target system attributes. This lookup definition is used for performing organizational unit provisioning operations.

Table 1-18 lists the organizational unit fields of the target system for which you can specify or modify values during provisioning operations.

Table 1-18 Entries in the Lookup.ActiveDirectory.OM.ProvAttrMap

Group Field on Oracle Identity Manager Target System Field

__NAME__

__NAME__="OU=$(Display_Name),$(Container)

Container[LOOKUP,IGNORE]

IGNORED

Display Name[IGNORE]

IGNORED

Unique Id

__UID__


1.9 Connector Objects Used During Trusted Source Reconciliation

Trusted source reconciliation involves fetching data about newly created or modified accounts on the target system and using that data to create or update OIM Users.

The Active Directory User Trusted Recon scheduled task is used to initiate a trusted source reconciliation run. This scheduled task is discussed in Section 3.3.4.1, "Scheduled Jobs for Reconciliation of User Records."

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for conceptual information about trusted source reconciliation

This section discusses the following topics:

1.9.1 User Fields for Trusted Source Reconciliation

The Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition maps user fields of the OIM User form with corresponding field names in the target system. This lookup definition is used for performing trusted source reconciliation runs.

Table 1-19 lists the user identity fields whose values are fetched from the target system during a trusted source reconciliation run.

Table 1-19 Entries in the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted Lookup Definition

OIM User Form Field Target System Field

E Mail

mail

Employee Type

OIM Employee Type

First Name

givenName

Last Name

sn

Manager ID

Manager Id

Middle Name

middleName

objectGUID

__UID__

Organization

__PARENTCN__

TrustedStatus[TRUSTED]

__ENABLE__

User Id

sAMAccountName

User Type

OIM User Type


1.9.2 Organizational Unit Fields for Trusted Source Reconciliation

The Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted lookup definition maps organizational unit fields of the OIM User form with corresponding field names in the target system. This lookup definition is used for performing trusted source reconciliation runs.

Table 1-20 lists the organizational unit field whose value is fetched from the target system during a trusted source reconciliation run.

Table 1-20 Entries in the Lookup.ActiveDirectory.OM.ReconAttrMap.Trusted Lookup Definition

OIM User Form Field Target System Field

Org Name

ou


1.9.3 Reconciliation Rule for Trusted Source Reconciliation

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for generic information about reconciliation matching and action rules

The following is the entity matching rule:

Rule name: AD User Trusted Recon Rule

Rule: User Login Equals User Id

In this rule:

  • User Login is the User ID field on the OIM User form.

  • User Id is the sAMAccountName field of Microsoft Active Directory or the userPrincipalName field of Microsoft AD LDS.

After you deploy the connector, you can view the reconciliation rule for trusted source reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for AD User Trusted Source Recon Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.

Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

Description of Figure 1-4 follows
Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

Note:

In Microsoft Active Directory, sAMAccountName attribute is a mandatory and unique field.

1.9.4 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-21 lists the action rules for trusted source reconciliation.

Table 1-21 Action Rules for Trusted Source Reconciliation

Rule Condition Action

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for trusted source reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Locate the AD User Trusted resource object.

  5. Click the Object Reconciliation tab, and then the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rule for trusted source reconciliation.

    Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation"

1.10 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: