Oracle® Identity Manager Connector Guide for Microsoft Active Directory Release 9.0.1 Part Number B31119-01 |
|
|
View PDF |
The following are known issues associated with this release of the connector:
A Microsoft Active Directory user can be migrated from one Microsoft Windows Server (2000 or 2003) domain controller to another. However, if you want to move a user from one domain to another, then the organization must remain the same.
The field name defined in the Xellerate User Reconciliation Fields form for user login must be sAMAccountName,
so that it is consistent with the entry in Microsoft Active Directory.
If the date field is not directly reconciled from Microsoft Active Directory, then you must set a transform mapping between the Oracle Identity Manager date field and the Microsoft Active Directory date field.
A problem may occur when provisioning Oracle Identity Manager users to Microsoft Active Directory using Microsoft Windows 2003. The user's password must meet the minimum length requirement of 7 characters for the user to be provisioned. In addition, the password complexity requirement that is enabled must be set for the target Microsoft Windows 2003 system. Therefore, the user's password must also meet this complexity requirement. To enable the password complexity requirement, perform the following procedure:
Click Start, Settings, and Control Panel.
Double-click Administrative Tools, Local Security Policy, Account Policies, and Password Policy.
Double-click Password must meet complexity requirements.
In the Domain Security Policy Setting dialog box, select Enabled and then click OK.
A problem may occur when provisioning Oracle Identity Manager users to Microsoft Active Directory using Microsoft Windows 2003. You must either select Password Never Expires or specify a valid date in the Account Expiry Date field. Otherwise, the user will be created and disabled immediately.
During reconciliation, the actual Microsoft Active Directory user password is not reconciled. Instead, a dummy value is inserted in the User Password field in the process form.
There is a limitation in the Create User function. When this function is run, if the User must change password at next logon check box is selected in the User Defined process form, then the corresponding change does not get reflected in Microsoft Active Directory.
After the user is created in Microsoft Active Directory and the Create User function is completed successfully, the same check box remains deselected in the target system.
Therefore, if you want to configure this setting correctly for a Microsoft Active Directory user, then perform the following steps:
Run the Create User function with the default settings in the User Defined process form.
After the Microsoft Active Directory user is created, in the process form, select the User must change password at next logon check box, and then click Save. This will trigger the relevant update task, and the setting gets correctly configured in Microsoft Active Directory.
If the Use SSL
attribute of the IT resource is set to false
while provisioning the Microsoft Active Directory user, then the password cannot be set and updated by using Oracle Identity Manager. Therefore, if there are any existing password policies in the Microsoft Active Directory server, then you must disable them if the communication is not secured by SSL.
To disable a password policy, perform the following procedure:
Click Start, Settings, and Control Panel.
Double-click Administrative Tools, Local Security Policy, Account Policies, and Password Policy.
Double-click Password must meet complexity requirements.
In the Domain Security Policy Setting dialog box, select Disabled and then click OK.
While provisioning an AD User or AD Group, if the organization is not selected, then the user or group is created in the static container CN=Users.
While reconciling a Microsoft Active Directory user, you can ignore the following attributes related to the Microsoft Exchange mailbox:
msExchMailboxSecurityDescriptor
msExchMailboxGuid
showInAddressBook
msExchPoliciesIncluded
textEncodedORAddress
proxyAddresses
The MaintainHeirarchy
option with a value true
reconciles organization units from Microsoft Active Directory. It is recommended that you use this option with a root context in which the parent attribute is ou.
This means that the DN of a root context must start with ou=.
For a root context starting with elements like dc=,
the MaintainHeirarchy
option would not work as expected.
To run the Move User function, you must ensure that the following prerequisite is addressed:
The destination organization, where you want to move the user, must have the same hierarchical structure in Oracle Identity Manager as in the target Microsoft Active Directory. For example, if you want to move the user to a destination organization ou=AcmeWidgets, ou=Integrations,
then the AcmeWidgets
organization must be inside the Integrations
organization in Oracle Identity Manager.