Oracle® Identity Manager Password Synchronization Module for Microsoft Active Directory Installation and Configuration Guide Release 9.0.1 Part Number B31129-01 |
|
|
View PDF |
This guide covers two scenarios:
Upgrading an existing instance of the password synchronization module to the current version, which is Revision D
To implement this option, follow the instructions provided in Chapter 3.
Installing and configuring Revision D of the password synchronization module
To implement this option, follow the instructions provided in this chapter.
Deploying the password synchronization module involves completing the following general procedures:
Step 1: Preparing to Install the Password Synchronization Module
Step 4: Performing Postinstallation Steps for the Password Synchronization Module
To prepare for installation, first verify that the following deployment requirements are met:
An instance of Oracle Identity Manager release 8.5.3 or later is installed, running, and visible to the computer hosting the Active Directory domain controller on which you want to install the password synchronization module.
See Also:
Depending on the application server that you use, refer to one of the following guides:Oracle Identity Manager Installation and Upgrade Guide for JBoss
Oracle Identity Manager Installation and Upgrade Guide for WebLogic
Oracle Identity Manager Installation and Upgrade Guide for WebSphere
If the Oracle Identity Manager server to which Active Directory will connect is hosted by an IBM WebSphere application server, then you must install on the computer where you are installing the password synchronization module an instance of the IBM WebSphere Application Client that is compatible with the installed version of the IBM WebSphere application server.
The computer on which you are installing the password synchronization module meets the requirements listed in the following table.
Item | Requirement |
---|---|
Microsoft Active Directory | Active Directory Server |
Host operating system | Any one of the following:
|
Note:
You must install a separate instance of the password synchronization module on each Active Directory domain controller for which you require password synchronization to the user account stores managed by Oracle Identity Manager.The installation files for the password synchronization module are compressed in the following ZIP file on the installation media:
Directory Servers\Microsoft Active Directory\Microsoft Active Directory Password Sync Rev 4.4.0.zip
After verifying the deployment requirements, copy the ZIP file to a temporary directory on the Oracle Identity Manager server. Extract the contents of the ZIP file into this directory.
See Also:
Refer to the "Files and Directories That Comprise the Password Synchronization Module" section for more information about these files.To activate password policies for Active Directory:
On the computer hosting the Active Directory domain controller on which you are installing the password synchronization module, start the Domain Security Policy application.
To do this, on the Microsoft Windows computer, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.
If you are using Microsoft Active Directory 2003, then directly proceed to the next step.
If you are using Microsoft Active Directory 2000, then select Window Settings on the left pane of the Domain Security Policy application window and then proceed to the next step.
Select Security Settings, select Account Policies, and then click Password Policy. The Security Policy Setting dialog box is displayed.
In the Security Policy Setting dialog box, select Define this policy setting, select Enabled, and then click OK.
To install the password synchronization module:
On the computer hosting the Active Directory domain controller where you are installing the password synchronization module:
Open Microsoft Windows Explorer.
Navigate to the temporary directory into which you extract the contents of the installation media ZIP file.
Double-click the setup_ad.exe
file to start the installer.
Read the text on the Welcome page, and then click Next.
On the Target Directory page, you can either accept the default installation directory or specify the path to the directory in which you want install the module. For example, you can specify a path similar to the following:
C:\OracleProvisioningAD
Alternatively, you can use the Browse button to navigate to the installation directory.
Click Next.
The installer creates a directory named adsynch
inside the installation directory that you specify. Then, it copies the password synchronization module components into the adsynch
directory and creates certain directories inside the adsynch
directory.
Note:
From this point onward, this guide refers to the directoryuser_specified_install_directory
\adsynch
as ADSYNC_HOME
.On the Application Server page, specify the application server that is hosting the Oracle Identity Manager server to which the Active Directory domain controller will connect. Then, click Next.
Note:
If you specify IBM WebSphere as the application server, then perform the next step. Otherwise, directly proceed to Step 7.On the WebSphere Directory page, specify the path to the directory where the IBM WebSphere Application Client is installed, on the computer where you are installing the module. Then, click Next.
On the JRE page, specify the JRE option that you want to use with the module. The following choices are available:
JRE bundled with Oracle Identity Manager
An existing JRE 1.4.2 installation on the computer where you are installing the password synchronization module. The following table lists the appropriate JRE version for the supported application servers.
For an existing JRE installation, you must specify the path to the installation. Then, click Next.
On the System Administration page, specify the account name and password required to log in to the Oracle Identity Manager server.
The default account for login is xelsysadm.
After specifying the required information, click Next.
On the Application Server Configuration page, specify the following:
The host name of the application server hosting Oracle Identity Manager
The naming port associated with the application server. The following table lists the default naming ports for the supported application servers.
If the application server for Oracle Identity Manager uses a nondefault naming port, then use that port number and consult your system administrator for additional guidance.
After you specify the required information, click Next.
On the Summary page, verify that the installation directory for the module, which you specify on the Target Directory page, is correctly displayed.
If you need to change the installation directory, click Back until you reach the Target Directory page, make the required corrections, and then proceed through the installation sequence again.
When the installation directory is displayed correctly, click Install.
The Complete page displays the following message to indicate successful installation:
The Oracle Identity Manager Installer has successfully installed Oracle Identity Manager AD Password Synchronization.
Click Finish to close the installer.
Restart the computer.
The following table lists the installation locations for the key components of the password synchronization module.
File | Description |
---|---|
Windows_System32_Directory\Adsync.dll
|
This file is registered as a listener for password changes to the Active Directory Domain controller. Whenever an Active Directory password is changed, it calls the Change Password script named ChangePassword.cmd. |
ADSYNC_HOME\config\xlconfig.xml
|
This file contains all the user-configurable settings for the password synchronization module. Users can edit this file after installing the module. For details, see the "Step 5: Configuring the Password Synchronization Module" section. |
ADSYNC_HOME\lib\xliADSync.jar
|
This JAR file contains the class files required by the Change Password script. |
ADSYNC_HOME\ChangePassword.cmd
|
This script, which is called by adsync.dll in response to a password change, uses the correct classpath and command-line parameters to call the ChangePassword class, which is in the xliADSync.jar file. |
ADSYNC_HOME\wsChangePassowrd.cmd
|
This is the version of the Change Password script that is used by IBM WebSphere. |
ADSYNC_HOME\lib\xliADSync.ear
|
This file contains the class files required by the version of the Change Password script used by IBM WebSphere. |
Perform the following postinstallation steps:
On the computer on which Oracle Identity Manager is installed:
Navigate to the root installation directory for Oracle Identity Manager.
Copy the following files from the ext directory to the ADSYNC_HOME
\ext
directory on the computer where you installed the password synchronization module:
javagroups-all.jar
(or jgroups-all.jar
)
oscache-2.0.2-22Jan04.jar
(or oscache.jar
)
Copy the javagroups-all.jar
or jgroups-all.jar
file (whichever of these files exists in the \ext
directory) to the ADSYNC_HOME
\ext
directory on the computer where you installed the password synchronization module.
Copy the oscache-2.0.2-22Jan04.jar
or oscache.jar
file (whichever of these files exists in the \ext
directory under the root installation directory of Oracle Identity Manager) to the ADSYNC_HOME
\ext
directory on the computer where you installed the password synchronization module.
Determine the file appropriate for the particular application server hosting your Oracle Identity Manager server, and copy this file from the computer hosting Oracle Identity Manager to the appropriate directory on the computer where you installed the password synchronization module.
The following table lists the application server-specific file that should be copied as well as the destination to which the file should be copied.
Copy the JAR files from the XLCLIENT_HOME
\lib
directory on the computer hosting the Oracle Identity Manager Design Console to the ADSYNC_HOME
\lib
directory on the computer where you install the password synchronization module.
If you plan to run Oracle Identity Manager on a clustered application server, then:
Establish a trust relationship between the computer hosting Oracle Identity Manager and the computer hosting the Active Directory domain controller on which you install the password synchronization module.
Add the host name of the computer hosting Oracle Identity Manager to the hosts
file of the computer hosting the Active Directory domain controller on which you install the password synchronization module.
Edit the xlconfig.xml
file associated with the password synchronization module you install. This file is located in the ADSYNC_HOME
\config
directory.
In the xlconfig.xml
file, change the <java.naming.provider.url>
tag to the value stored in the tag in the xlconfig.xml
file associated with the instance of the Design Console that you have previously installed as part of the Oracle Identity Manager deployment.
Each instance of the xlconfig.xml
file is in the config
directory. This directory is in the root installation directory for the component with which the configuration file is associated. For example, the path of the xlconfig.xml
file associated with the password synchronization module is as follows:
ADSYNC_HOME\config\
After you update the value of the <java.naming.provider.url>
tag in the xlconfig.xml
file associated with the password synchronization module, save and close the file.
After you complete installation of the password synchronization module, you can configure it by editing the xlconfig.xml
file, which is located in the ADSYNC_HOME
\config
directory.
To configure the parameters in the xlconfig.xml
file, first open the file by using any plain-text editor. The following table lists the elements you can configure within the <ADsync>
tag in the xlconfig.xml
file.
Tag Within the <ADSync> Tag | Description |
---|---|
<UserMatch> </UserMatch> |
The MatchingMethod parameter specifies how Oracle Identity Manager matches an Oracle Identity Manager user to the Active Directory ID passed to the adsync.dll file. The first of the following three options is the default. Use it when all the login IDs in Oracle Identity Manager match all the Active Directory user IDs. When the login IDs in Oracle Identity Manager and the Active Directory IDs do not match, then use one of the remaining options.
|
<Result> </Result> |
This optional configuration element specifies where the result of the password change operation must be logged (apart from the adsync.log file). Values for the following parameters are provided as tags within the <Result> tag:
|
The following example provides a listing of the original (default) contents of the <ADSync>
tag:
<ADSync> <!-- The Login section provides information about how the utility is authenticated. If UseSignature is true, the username is used for authentication, using the signature-based login. The key in the "PrivateKey" alias will be used. If UseSignature is false, the username and password are used for authentication. --> <Login> <UseSignature>false</UseSignature> <Username>xelsysadm</Username> <Password encrypted="true">tPzEM127PIQxO64w2g7wgw==</Password> </Login> <!-- The Active Directory name should match an Oracle Identity Manager user name. If the MatchingMethod is UserID, the Active Directory user name is assumed to be the Oracle Identity Manager user name. For UDF, FieldName must contain the name of the User Defined field that contains the active directory user ID. For ResourceField, Process Forms of those Users who have ResourceObject specified will be searched to find the suitable user. This can be used if active directory is provisioned as an account, but not a trusted source. --> <UserMatch> <!-- UserID, UDF and ResourceField --> <MatchingMethod>UserID</MatchingMethod> <FieldName>UD_ADUSER_LOGIN</FieldName> <ResourceObject>AD User</ResourceObject> </UserMatch> <!-- If required, a UDF field can be updated with the result of the operation and Timestamp so that additional workflow can be started. --> <Result> <UpdateUDF>false</UpdateUDF> <FieldName>USR_UDF_ADPWDRES</FieldName> <SuccessValue>SUCCESS</SuccessValue> <FailureValue>FAIL</FailureValue> <AppendTimeStamp>true</AppendTimeStamp> </Result> </ADSync>
After you make the required changes to the user-configurable tags in the xlconfig.xml
file, save and close the file.