Oracle® Identity Manager Connector Guide for Microsoft Active Directory Release 9.0.1 Part Number B31119-01 |
|
|
View PDF |
This chapter describes the procedures involved in installing and deploying the reconciliation scheduled task. It includes the following sections:
The reconciliation scheduled task is completely independent of provisioning. There is no code that is common to both reconciliation and provisioning.
You must perform the following steps before you can successfully run the reconciliation scheduled task:
Ensure that the connector XML file is imported by performing the procedure described in the "Step 4: Importing the Connector XML Files" section. This step is required because the Microsoft Active Directory reconciliation scheduled task uses the IT resource that is defined in the connector XML file.
Import the sample Microsoft Active Directory Reconciliation task. In addition, ensure that all the required attributes in the task are correctly configured.
Import the ADGroup Lookup Reconciliation
sample task. In addition, ensure that all the required attributes in the task are correctly configured.
If there are any transformation classes to be applied, then you must place them in a JAR file in the JavaTasks
directory.
This section describes the following task attributes from the deployment perspective:
DeleteRecon:
This attribute can be set to true
or false.
It is not case-sensitive. While using this attribute, you must ensure that the Server
attribute points to the Microsoft Active Directory root context where information about deleted users is stored.
Because Microsoft Active Directory does not keep track of deleted users, this mechanism (of moving deleted users to a specific OU) has to be implemented by the directory administrator. In addition, in the case of trusted reconciliation, the users that are reconciled using the Delete Reconciliation function are marked as deleted by Oracle Identity Manager. In the case of nontrusted reconciliation, the Microsoft Active Directory resource object is revoked for such users.
MaintainHierarchy:
This attribute can be set to true
or false.
It is not case-sensitive. While using this attribute, you must ensure that no two organizations have the same name in Microsoft Active Directory, because this is a constraint in Oracle Identity Manager. If this attribute is set to true,
then the value of the XellerateOrg
attribute is ignored.
UseFieldMapping:
This attribute can be set to true
or false.
It is not case-sensitive. If it is set to true,
then the value of the FieldLookupCode
attribute is used to find the field mappings stored in the lookup tables.
UseTransformMapping:
This attribute can be set to true
or false.
It is not case-sensitive. If it is set to true,
then the value of the TransformLookupCode
attribute is used to get the transform mappings stored in the lookup tables.
FieldLookupCode:
This attribute specifies the mapping between the Microsoft Active Directory fields and virtual fields in Oracle Identity Manager. It also specifies the fields that are imported in Oracle Identity Manager during reconciliation. It is used when there are multiple external systems that are being reconciled against a single Oracle Identity Manager resource object. In such a situation, it is not possible to use the current reconciliation scheduled task. Therefore, you must specify the mappings between the Microsoft Active Directory fields and virtual Oracle Identity Manager fields.
These virtual fields are then mapped to the actual fields on the process form.
For example:
Suppose you have two systems S1 and S2 that are being reconciled against a resource object called ADObject.
In addition, assume that the reconciliation parameters are p1, p2, and p3 for S1 and q1, q2, and q3 for S2. Because they are being reconciled against the same resource object, Oracle Identity Manager does not allow multiple mappings of the same field. For instance, if p1 and q1 both correspond to the user ID, then both of them cannot be mapped at the same time. To avoid this, you can use virtual mappings, in which case, p1, p2, p3, q1, q2, and q3 are mapped to the same virtual Oracle Identity Manager attributes. These attributes in turn are mapped on the resource object and provisioning process. Therefore, if the virtual Oracle Identity Manager attributes are x1, x2 and x3, then the mapping in the field maps is as follows:
TransformLookupCode:
This attribute specifies the mapping between the Microsoft Active Directory fields and the transformation to be applied to them. It is used if the values from the external systems must be modified before they can be entered into Oracle Identity Manager. There is no restriction on custom modification. The following are examples of custom modifications:
Append a number at the end of the user ID.
Look up the field name from some external system, and set the value based on the field name.
Set custom types, such as Role
or Xellerate Type
in Oracle Identity Manager, based on the value of a field in Microsoft Active Directory.
Because there can be a different transform for every field reconciled from Microsoft Active Directory, the transform map gives a flexible way of specifying the field and the Java class that will be used to transform it. The custom transformation classes must be compiled and kept in a JAR file in the JavaTasks
directory.
Server:
This attribute specifies the IT resource for the Microsoft Active Directory server from which reconciliation is to be carried out.
XellerateObject:
This attribute specifies the Xellerate User
resource object on which trusted reconciliation is to be carried out.
Object:
This attribute specifies the AD User
resource object on which reconciliation is to be carried out.
XellerateOrg:
This attribute gives the name of the Oracle Identity Manager organization in which reconciled users will be created. The name of this organization will be used by default unless either the MaintainHierarchy
or the ProcessOrg
attribute is set.
MultiValueAttributes:
The value of this attribute is interpreted as a comma-separated list of the multivalued attributes in Microsoft Active Directory, which must be imported in Oracle Identity Manager during reconciliation. When you use this value, remember that:
The corresponding child table (used to store the value of the multivalued field) must exist on the form for the resource object against which reconciliation takes place.
The name of the multivalued attribute field and its subfields must be the same as the name of the multivalued field.
GroupObject:
This attribute specifies the Oracle Identity Manager resource object on which reconciliation is to be carried out. The fields and mappings must be correctly created on the resource object and provisioning process for successful reconciliation. The default value of this attribute is AD Group.
If only selective parameters need to be reconciled, then first check if the Lookup.ADReconciliation.FieldMap
field map is present in the Lookup Definition form. If it is not present, then create it. In addition, you must add the parameters mentioned in the preceding list. The whenChanged
parameter is a mandatory field, which means that it must be present in the field map.
The following fields are provided by default for the Lookup.ADReconciliation.FieldMap
field map:
sAMAccountName
IT Resource
objectGUID
name
sn
cn
whenChanged
distinguishedName
The UseFieldMapping
attribute of the scheduled task must be set to true
for selective parameter reconciliation.
Note:
If theUseFieldMapping
parameter is set to false,
then some fields with binary values would be reconciled. This is not handled by the current release of Oracle Identity Manager.
The following are some fields that have binary values:
msExchMailboxSecurityDescriptor
msExchMailboxGuid
showInAddressBook
msExchPoliciesIncluded
textEncodedORAddress
proxyAddresses