| Oracle® Identity Manager Connector Guide for Microsoft Active Directory Release 9.0.3 Part Number B32355-02 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for Microsoft Active Directory Release 9.0.3 Part Number B32355-02 |
|
|
View PDF |
The following are known issues associated with this release of the connector:
A Microsoft Active Directory user can be migrated from one Microsoft Windows Server (2000 or 2003) domain controller to another. However, if you want to move a user from one domain to another, then the organization must remain the same.
The field name defined in the Xellerate User Reconciliation Fields form for user login must be sAMAccountName, so that it is consistent with the entry in Microsoft Active Directory.
A problem may occur when provisioning Oracle Identity Manager users to Microsoft Active Directory installed on Microsoft Windows 2003 with password complexity set for user accounts. In this case, passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in Microsoft Active Directory.
In Microsoft Active Directory, password policies are controlled through password complexity rules. Complexity requirements are enforced when passwords are changed or created.
See Also:
For more information about password guidelines, refer to the following page on the Microsoft TechNet Web site:A problem may occur when provisioning Oracle Identity Manager users to Microsoft Active Directory using Microsoft Windows 2003. You must either select Password Never Expires or specify a valid date in the Account Expiry Date field. Otherwise, the user will be created and disabled immediately.
During reconciliation, the actual Microsoft Active Directory user password is not reconciled. Instead, a dummy value is inserted in the User Password field in the process form.
You can install and use the password synchronization module for Microsoft Active Directory if you want to synchronize passwords between Oracle Identity Manager and Microsoft Active Directory.
See Also:
Oracle Identity Manager Password Synchronization Module for Microsoft Active Directory Installation and Configuration GuideThere is a limitation in the Create User function. When this function is run, if the User must change password at next logon check box is selected in the User Defined process form, then the corresponding change does not get reflected in Microsoft Active Directory.
After the user is created in Microsoft Active Directory and the Create User function is run successfully, the same check box remains deselected in the target system.
Perform the following steps to configure this setting correctly for a Microsoft Active Directory user:
Run the Create User function with the default settings in the User Defined process form.
After the Microsoft Active Directory user is created, in the process form, select the User must change password at next logon check box, and then click Save. This will trigger the relevant update task, and the setting gets correctly configured in Microsoft Active Directory.
Suppose the Use SSL IT resource parameter is set to false. When you provision a Microsoft Active Directory user through Oracle Identity Manager, the password cannot be set and updated by using Oracle Identity Manager. Therefore, if there are any existing password policies in Microsoft Active Directory, then you must disable them if the communication is not secured by SSL.
This limitation is also described in the "Troubleshooting" section.
To disable a password policy, perform the following procedure:
Click Start, Settings, and Control Panel.
Double-click Administrative Tools, Local Security Policy, Account Policies, and Password Policy.
Double-click Password must meet complexity requirements.
In the Domain Security Policy Setting dialog box, select Disabled and then click OK.
While provisioning an AD User or AD Group, if the organization is not selected, then the user or group is created in the static container CN=Users.
Suppose the operating environment consists of a Microsoft Active Directory installation on a server on which Microsoft Exchange has also been installed. If reconciliation with Microsoft Active Directory carries user fields with binary values, then these fields must be suppressed before the reconciliation records are passed on to Oracle Identity Manager. This is because Oracle Identity Manager cannot handle fields with binary values.
The following are examples of fields with binary values:
msExchMailboxSecurityDescriptor
msExchMailboxGuid
showInAddressBook
msExchPoliciesIncluded
textEncodedORAddress
proxyAddresses
Refer to "Specifying the Fields to Be Reconciled" section for information about using the Lookup.ADReconciliation.FieldMap field map to suppress such fields.
The MaintainHeirarchy option with a value true reconciles organization units from Microsoft Active Directory. It is recommended that you use this option with a root context in which the parent attribute is ou. This means that the DN of the root context must start with ou=. For a root context starting with elements like dc=, the MaintainHeirarchy option would not work as expected.
To run the Move User function, you must ensure that the following prerequisites are addressed:
The destination organization, where you want to move the user, must have the same hierarchical structure in Oracle Identity Manager as in the target Microsoft Active Directory. For example, if you want to move the user to a destination organization ou=AcmeWidgets, ou=Integrations, then the AcmeWidgets organization must be inside the Integrations organization in Oracle Identity Manager.
Then, update the organization name in the AD process form, not in the Oracle Identity Manager user form.
Some Asian languages use multibyte character sets. If the character limit for the fields in the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this limitation:
Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you were using the Japanese language and if the character limit for the target system fields were specified in bytes, then you would not be able to enter more than 25 characters in the same field.
The connector does not support the use of security certificates that contain non-English characters.
When you create a user account directly on Microsoft Active Directory, you need not specify values for some user fields, such as First Name and Last Name. However, while provisioning a user on Microsoft Active Directory through Oracle Identity Manager, you must enter values for the User ID, First Name, Last Name, and Full Name fields in the AD User form (User Process form).
In addition, if the pre-populated values are to be changed, then the Full Name field value must be a combination of the First name, Middle Name, and Last Name field values separated by white spaces. The format is as follows:
First_Name Middle_Name Last_Name
During reconciliation, if a user in Microsoft Active Directory has not been assigned values for the First Name or Last Name fields, then these fields in Oracle Identity Manager are updated with the Full Name field value. This is because Full Name is a mandatory field in Microsoft Active Directory.
On a Microsoft Windows 2003 server on which Service Pack 1 has not been installed, you may come across the "WILL_NOT_PERFORM" error message during the password change operation. You can access information about one of the causes of and a solution for this error on the Microsoft Knowledge Base Web site at
You can provision an organization through Oracle Identity Manager on Microsoft Active Directory. However, you cannot change the name of this organization through Oracle Identity Manager.
While provisioning a user in the Japanese language, the given name (first name) is listed before the family name (last name) instead of the family name being listed before the given name.
Microsoft Active Directory restricts the number of characters in the user ID field to 20 characters. Therefore, while provisioning a user through Oracle Identity Manager, if you enter more than 20 characters as the user ID, then the user ID created on Microsoft Active Directory is truncated to the first 20 characters.
