After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.
Adding New Multivalued Fields for Target Resource Reconciliation
Configuring the Connector for Oracle Identity Manager Release 9.0.1.3
Configuring the Connector for Multiple Installations of the Target System
Configuring the Connector and Password Synchronization Module
As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:
For each newly created user on the target system, an OIM User is created.
Updates made to each user on the target system are propagated to the corresponding OIM User.
If you designate the target system as a target resource, then during a reconciliation run:
For each account created on the target system, a resource is assigned to the corresponding OIM User.
Updates made to each account on the target system are propagated to the corresponding resource.
Note:
You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.
To import the XML file for trusted source reconciliation:
Note:
Only one target system can be designated as a trusted source. If you import the xliADXLResourceObject.xml
file while you have another trusted source configured, then both connector reconciliations would stop working.
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
Locate and open the xliADXLResourceObject.xml
file, which is in the OIM_home
/xellerate/XLIntegrations/ActiveDirectory/xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
After you import the XML file for trusted source reconciliation, you must set the value of the TrustedSource
reconciliation scheduled task attribute to yes
. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by specifying the queries that must be applied during reconciliation. You specify these queries as the values of the following scheduled task attributes:
For this connector, you create a filter by specifying values for the CustomizedReconQuery
attribute while performing the procedure described in the "Defining IT Resources" section.
The following table lists the Microsoft Active Directory attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery
attribute.
Oracle Identity Manager Attribute | Microsoft Active Directory Attribute |
---|---|
User ID |
sAMAccountName |
First Name |
givenName |
Last Name |
sn |
Middle Name |
initials |
Full Name |
displayName |
Groups |
memberOf |
The CustomizedReconQuery
attribute is used in conjunction with the isNativeQuery
attribute. You use the isNativeQuery
attribute to specify whether or not the query condition is in the native format.
The following are sample CustomizedReconQuery
attribute values when the isNativeQuery
attribute is set to yes
:
Note:
These queries are in the native format.
(&(objectclass=user)(givenName=John))
With this query condition, records of users belonging to the user object class and whose first name is John are reconciled.
(&(objectClass=user)(memberOf=CN=grp123,CN=Users,DC=corp,DC=com))
With this query condition, records of all users who belong to the user object class and the grp123 group are reconciled.
(&(&(objectClass=user)(memberOf=CN=group1,CN=Users,DC=corp,DC=com))(givenName=Richard))
With this query condition, records of all users who belong to the group1 group and user object class and whose first name is Richard are reconciled.
(&(objectclass=user)(sn=Roe))
With this query condition, records of all users who belong to the user object class and whose last name is Roe are reconciled.
The following are sample CustomizedReconQuery
attribute values when the isNativeQuery
attribute is set to no
:
objectClass=user&givenName=John&sn=Doe
With this query condition, records of users who belong to the user object class and whose first name is John and last name is Doe are reconciled.
givenName=John|sn=Doe
With this query condition, records of users who meet either of the following conditions are reconciled:
First name is John
.
Last name is Doe
.
objectClass=user&memberOf=CN=grp123,CN=Users,DC=Globalsv,DC=com
With this query condition, records of all users who belong to the grp123 group and the user object class are reconciled.
If the value of the CustomizedReconQuery
attribute is [NONE]
, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.
The following are guidelines to be followed while specifying a value for the CustomizedReconQuery
parameter when the isNativeQuery
attribute is set to no
(that is, when you want to use a non-native format query):
For the Microsoft Active Directory attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.
You must not include unnecessary blank spaces between operators and values in the query condition.
A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:
givenname=John&sn=Doe
givenname= John&sn= Doe
In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.
You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.
Note:
An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).
You must enclose the query condition in parentheses, for example:
(&(objectClass=user)(sn!=Doe))
You use the CustomizedGroupReconQuery
attribute to specify the groups that must be reconciled. The value of this attribute is an LDAP query that you specify.
You can use any one or a combination of the following group fields to create the LDAP query:
name
instanceType
groupType
objectSid
sAMAccountType
member
uSNCreated
uSNChanged
objectClass
distinguishedName
objectCategory
sAMAccountName
objectGUID
cn
whenCreated
whenChanged
The following are sample LDAP queries:
Note:
As shown in these samples, individual conditions must be enclosed in parentheses. For example: (groupType=2)
Only queries in native LDAP format are supported.
(&(|(groupType=2)(name=MyGrp))(objectClass=group))
(&(&(groupType=2)(name=MyGrp))(objectClass=group))
(&(objectclass=group)(name=MyGrp))
(|(groupType=2)(name=MyGrp))
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid such problems.
To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:
StartRecord
: Use this attribute to specify the record number from which batched reconciliation must begin.
BatchSize
: Use this attribute to specify the number of records that must be included in each batch.
NumberOfBatches
: Use this attribute to specify the total number of batches that must be reconciled. If you do not want to use batched reconciliation, specify All Available
as the value of this attribute.
Note:
If you specify All Available
as the value of this attribute, then the values of the StartRecord
and BatchSize
attributes are ignored.
You specify values for these attributes by following the instructions described in the "User Reconciliation Scheduled Task" section.
After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed.
When you perform the procedure described in the "Importing the Connector XML Files" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.
For the first scheduled task, enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributes
Click Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
Repeat Steps 5 through 10 to create the second scheduled task.
This section provides information about the attribute values to be specified for the following scheduled tasks:
The following lookup field reconciliation scheduled tasks have the same attributes:
ADGroupLookupReconTask
AD Security Group Global Lookup Recon
ADOrganizationLookupReconTask
These attributes are described in the following table:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
Attribute | Description | Default/Sample Value |
---|---|---|
|
IT resource instance name of the Microsoft Active Directory server |
|
|
Name of the lookup definition |
|
|
Decode value of the attribute name for lookup reconciliation |
|
|
Code Key value of the attribute name for lookup reconciliation |
|
|
Search filter for lookup reconciliation |
|
|
Enter
Enter
Default value: |
|
After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.
The following table describes attributes of these user reconciliation scheduled tasks:
ActiveDirectoryReconTask
TrustedADReconTask
Note:
Most of the attributes are common to both scheduled tasks.
See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about these attributes.
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
Attribute | Description | Default/Sample Value |
---|---|---|
|
Specifies whether or not Delete reconciliation is enabled The value can be If you enable Delete reconciliation, then you must ensure that the You must specify a value for this attribute. |
|
|
Name of the lookup definition that is used for custom reconciliation See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. |
|
|
Specifies whether or not organization hierarchy must be maintained in Microsoft Active Directory See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. The default value is Note: This attribute is used only in the |
|
|
Name of the OIM User resource object in Oracle Identity Manager on which trusted source reconciliation is to be performed If you want trusted source reconciliation to be performed, then change the value to You must specify a value for this attribute. Note: This attribute is used only in the |
' |
|
Oracle Identity Manager organization in which reconciled users are to be created The name of this organization is used by default unless either the Note: This attribute is used only in the |
|
|
Name of the AD User resource object in Oracle Identity Manager on which reconciliation is performed The default value is Note: This attribute is used only in the |
|
|
Name of the IT resource representing the Microsoft Active Directory server You must specify a value for this attribute. |
|
|
Lookup code used for the transformation class map stored in the lookup tables See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. This attribute is valid only when the |
|
|
Specifies whether or not transform mappings accessed by using the The value can be |
|
|
Comma-delimited list of all the multivalued Microsoft Active Directory attributes that must be reconciled For AD Group reconciliation, enter See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. You must specify a value for this attribute. |
|
|
For target resource reconciliation: Name of the AD Group resource object in Oracle Identity Manager on which group reconciliation is to be performed If you want AD Group reconciliation to be performed, then change the value to You must specify a value for this attribute. The value can be For trusted source reconciliation: Accept the default value, |
|
|
The attribute holds the name of the IT resource time-stamp parameter that is updated after this scheduled task is run. For example, if the IT resource time-stamp parameter is |
|
|
Specify the LDAP query that you want to use to customize reconciliation. The reconciliation engine uses this LDAP query to filter the records that must be fetched from the target system. If you do not want to fetch records based on the filter provided as the value of the See "Partial Reconciliation" for more information about this attribute. Sample values:
|
|
|
Enter |
|
|
Specifies the start record for batching process The default value is This attribute is also discussed in the "Batched Reconciliation" section. |
|
|
Specifies how many records must be there in a batch The default value is This attribute is also discussed in the "Batched Reconciliation" section. |
|
|
Specifies the number of batches that must be reconciled If you specify the default value ( This attribute is also discussed in the "Batched Reconciliation" section. |
Default value: Sample value: |
|
Name of the lookup definition that is used for primary group reconciliation This attribute is used only when the Note: This attribute is used only in the |
|
|
Specifies whether or not primary groups accessed by using the Note: This attribute is used only in the |
|
|
This attribute is used only during group reconciliation. You can set this attribute to one of the following values:
|
|
|
This attribute is used only during group reconciliation.
|
|
|
Specifies the LDAP query that you want to use for determining groups that must be reconciled See "Partial Reconciliation" for more information about this attribute. Note: Only queries in native LDAP format are supported. Sample values:
|
|
|
Specifies the comma-separated list of multivalued group attributes that you want to reconcile Note: This attribute is specific to the Sample value: |
|
|
Enter |
|
After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.
If you are using Oracle Identity Manager release 9.0.1, then you must perform the following procedure to enable reconciliation:
See Also:
Oracle Identity Manager Design Console Guide
Open the Design Console.
Expand the Process Management folder.
Open the Process Definition form for the AD User.
Click the Reconciliation Field Mappings tab.
For each field that is of the IT resource type:
Double-click the field to open the Edit Reconciliation Field Mapping window for that field.
Deselect Key Field for Reconciliation Matching.
Note:
This section describes an optional procedure. You need not perform this procedure if you do not want to add new attributes for provisioning.
By default, the attributes listed in the "Reconciliation Module" section are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can map additional attributes for reconciliation.
Before you add a new field for target resource reconciliation, you must first determine the target system name of the field as follows:
Install the target system schema, if it is not already installed.
Refer to the Microsoft Web site for information about installing the schema.
Note:
The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.
Open the target system schema.
Expand the Console Root folder, expand the target system schema, and then double-click Classes.
Right-click user, and then select Properties.
The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system.
Note down the name of the field that you want to add, and then click Cancel.
For example, if you want to add the Employee ID field for reconciliation, then note down employeeID
.
To add a new field for target resource reconciliation:
See Also:
Oracle Identity Manager Design Console Guide for detailed information about these steps
Add the new field on the process form as follows:
Expand Development Tools.
Double-click Form Designer.
Search for and open the UD_ADUSER process form.
Click Create New Version, and then click Add.
Enter the details of the field.
For example, if you are adding the Employee ID field, enter UD_ADUSER_EMPLOYEE_ID
in the Name field and then enter other details such as Variable Type, Length, Field Label, and Field Type.
Click Save, and then click Make Version Active.
Add the new field to the list of reconciliation fields in the resource object as follows:
Expand Resource Management.
Double-click Resource Objects.
Search for and open the AD User resource object.
On the Object Reconciliation tab, click Add Field.
Enter the details of the field.
For example, enter Employee ID
in the Field Name field and select String from the Field Type list.
Later in this procedure, you will enter the field name as the Decode value of the entry that you create in the lookup definition for reconciliation.
Click Save.
Create a reconciliation field mapping for the new field in the provisioning process as follows:
Expand Process Management.
Double-click Process Definition.
Search for and open the AD User provisioning process.
On the Reconciliation Field Mappings tab of the AD User provisioning process, click Add Field Map.
In the Field Name field, select the value for the field that you want to add.
Double-click the Process Data Field field, and then select UD_ADUSER_EMPLOYEE_ID.
Click Save.
Create an entry for the field in the lookup definition for reconciliation as follows:
Expand Administration.
Double-click Lookup Definition.
Open Lookup.ADReconciliation.FieldMap.
Click Add and enter the Code Key and Decode values for the field. The Code Key value must be the name of the field on the target system, which you determined at the start of this procedure. The Decode value is the name that you provide for the reconciliation field in Step 3.e.
For example, enter employeeID
in the Code Key field and then enter Employee ID
in the Decode field.
Click Save.
As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.
Note:
You must perform the procedure described in this section if you want to use the provisioning features of Oracle Identity Manager for this target system.
Configuring provisioning involves compiling the adapters that are used to implement provisioning functions.
See Also:
The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector
The following adapters are imported into Oracle Identity Manager when you import the connector XML file:
Chk Process Parent Org
AD Move OU
AD Get USNChanged
AD Get OU USNCR
Update AD Group Details
Get Group ObjectGUID Created
AD Delete Group
AD Create Group
Prepopulate AD Group Name
check process organization
AD Set User Password
AD Set User CN Standard
AD Set Account Exp Date
AD remove User From Group
AD Pwd Never Expires
AD Must Change PWD
AD Move User
AD Get ObjectGUID
AD Enable User
AD Disable User
AD Delete User
AD Create User
AD Change Attribute
AD Change User Password
AD Add User To Group
AD Prepopulate User Last Name
AD Prepopulate User Login
AD Prepopulate User Full Name
AD Prepopulate User Middle Name
AD Prepopulate User First Name
You must compile these adapters before they can be used in provisioning operations.
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select Compile All.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.
Note:
Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK
compilation status.
Click Start. Oracle Identity Manager compiles the selected adapters.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home
/xellerate/Adapter
directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.
If you want to compile one adapter at a time, then use the Adapter Factory form.
See Also:
Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms
To view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.
Note:
This section describes an optional procedure. You need not perform this procedure if you do not want to add new attributes for provisioning.
By default, the attributes listed in the "Provisioning Module" section are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.
Before you add a new field for provisioning, you must first determine the target system name of the field as follows:
Install the target system schema, if it is not already installed.
Refer to the Microsoft Web site for information about installing the schema.
Note:
The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.
Open the target system schema.
Expand the Console Root folder, expand the target system schema, and then double-click Classes.
Right-click user, and then select Properties.
The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system.
Note down the name of the field that you want to add, and then click Cancel.
For example, if you want to add the Employee ID field for reconciliation, then note down employeeID
.
To add a new field for provisioning:
See Also:
Oracle Identity Manager Design Console Guide for detailed information about these steps
Log in to the Oracle Identity Manager Design Console.
Add the new field on the process form as follows:
Expand Development Tools.
Double-click Form Designer.
Search for and open the UD_ADUSER process form.
Click Create New Version, and then click Add.
Enter the details of the field.
For example, if you are adding the Employee ID field, enter UD_ADUSER_EMPLOYEE_ID
in the Name field, and then enter the rest of the details of this field.
Click Save and then click Make Version Active.
Create an entry for the field in the lookup definition for provisioning as follows:
Expand Administration.
Double-click Lookup Definition.
If the field that you want to add is not an Environment, Remote Control, or Sessions field, then search for and open the AtMap.AD lookup definition.
Cick Add and then enter the Code Key and Decode values for the field. The Decode value must be the name of the field on the target system, which you determined at the start of this procedure.
For example, enter UD_ADUSER_EMPLOYEE_ID
in the Code Key field and then enter employeeID
in the Decode field.
Enabling Update of New Fields for Provisioning
After you add a field for provisioning, you must enable update operations on the field. If you do not perform this procedure, then you will not be able to modify the value of the field after you set a value for it during the Create User provisioning operation.
To enable the update of a new field for provisioning:
See Also:
Oracle Identity Manager Design Console Guide for detailed information about these steps
Log in to the Oracle Identity Manager Design Console.
In the provisioning process, add a new task for updating the field as follows:
Expand Process Management.
Double-click Process Definition and open the AD User provisioning process.
Click Add and enter the task name and the task description.
In the Task Properties section, select the following fields:
Conditional
Required for Completion
Allow Cancellation while Pending
Allow Multiple Instances
Click Save.
In the AD User provisioning process, select the adapter name in the Handler Type section as follows:
Go to the Integration tab, click Add and select Adapter.
In the Handler Type section, select adpADCSCHANGEATTRIBUTE.
Click Save.
Double-click the Variable Name field to get the value and map the adapter variable to Response Code.
Double-click the Variable Name field to get the value and map the adapter variable to a process data field.
Double-click the Variable Name field to get the value and map the adapter variable to a process data field.
Double-click the Variable Name field to get the value and map the adapter variable with the corresponding field on the target system. For example, enter employeeID for updating Employee ID.
Click Save.
By default, newly created users on the target system are assigned to the user object class. The user object class is the value of the LdapUserObjectClass
field in the Atmap.AD
lookup definition. If you want to assign new users to additional object classes, then enter the list of object classes in the Decode column for this field. Use the vertical bar (|) to separate the object class names in the value that you specify.
The following are sample values for the LdapUserObjectClass entry:
user
coperson
user|coperson
In the third sample value, the vertical bar (|) is used as the delimiting character.
This parameter is used only during provisioning.
Note:
When you create an object class, set the user
object class as the parent object class.
You can provision users with user-defined object classes in addition to the user object class. However you cannot provision the user with object classes such as contact and computer because they are not treated as user objects by Microsoft Active Directory.
Note:
This section describes an optional procedure. Perform this procedure only if you want to add new multivalued fields for reconciliation.
You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.
If required, you can add new multivalued fields for target resource reconciliation.
To add a new multivalued field for target resource reconciliation:
Log in to the Oracle Identity Manager Design Console.
Create a form for the multivalued field as follows:
Expand Development Tools.
Double-click Form Designer.
Create a form by specifying a table name and description, and then click Save.
Click Add and enter the details of the field.
Click Save and then click Make Version Active.
Add the form created for the multivalued field as a child form of the process form as follows:
Search for and open the UD_ADUSER or UD_ADGROUP process form.
Click Create New Version.
Click the Child Table(s) tab.
Click Assign.
In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.
Click Save and then click Make Version Active.
Add the new field to the list of reconciliation fields in the resource object as follows:
Expand Resource Management.
Double-click Resource Objects.
Search for and open the AD User or AD Group resource object.
On the Object Reconciliation tab, click Add Field.
In the Add Reconciliation Fields dialog box, enter the details of the field.
For example, enter carLicense
in the Field Name field and select Multi Valued Attribute from the Field Type list.
Click Save and then close the dialog box.
Right-click the newly created field.
Select Define Property Fields.
In the Add Reconciliation Fields dialog box, enter the details of the newly created field.
For example, enter carLicense
in the Field Name field and select String from the Field Type list.
Click Save, and then close the dialog box.
Create a reconciliation field mapping for the new field as follows:
Expand Process Management.
Double-click Process Definition.
Search for and open the AD User or AD Group process definition.
On the Reconciliation Field Mappings tab of the AD User or AD Group process definition, click Add Table Map.
In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.
Right-click the newly created field, and select Define Property Field Map.
In the Field Name field, select the value for the field that you want to add.
Double-click the Process Data Field field, and then select the column that you want to add, for example, UD_CAR_LICENSE.
Select Key Field for Reconciliation Field Matching and click Save.
Create an entry for the field in the lookup definition for reconciliation as follows:
Expand Administration.
Double-click Lookup Definition.
Search for and open the Lookup.ADReconciliation.FieldMap lookup definition.
Cick Add and enter the Code Key and Decode values for the field, and then Click Save. The Code Key value must be the name of the attribute field on the target system.
For example, enter carLicense
in the Code Key field and then enter carLicense
in the Decode field.
Note:
This section describes an optional procedure. Perform this procedure only if you want to add new multivalued fields for reconciliation.
To add new multivalued fields for provisioning:
Note:
Before starting the following procedure, perform Steps 1 through 3 as described in the "Adding New Multivalued Fields for Target Resource Reconciliation" section. If these steps have been performed while adding new multivalued fields for target resource reconciliation, then you need not repeat the steps.
Log in to the Oracle Identity Manager Design Console.
Expand Process Management.
In the process definition, add the task for provisioning multivalued attributes as follows:
Double-click Process Definition.
Search for and open the AD User or AD Group process definition.
Click Add and enter the task name and the description.
In the Task Properties section, select the following:
Conditional
Required for Completion
Retry Count
Allow Multiple Instances
Child table name from the Child Table list
Insert, if you want to add the data, from the Trigger Type list
Delete, if you want to remove the data, from the Trigger Type list.
Click Save.
Select the adapter as follows:
On the Integration tab in the AD User or AD Group provisioning Process, click Add and then select Adapter. From the list of adapters:
If you want to add multivalued data, then select adpADCSAddMultiAttributeData and click Save.
If you want to remove multivalued data, then select adpADCSRemoveMultiAttributeData and click Save.
Double-click and map the adapter variable to a process data field and click Save.
Double-click and map the adapter variable to a literal and specify the name of the attribute to be updated in the Literal Value field, and then click Save.
Double-click and map the adapter variable to a process data field of the newly created form. If you are removing the attribute, then select Old Value and click Save.
Double-click and map the adapter variable to a process data field and click Save.
Double-click and map the adapter variable to a response code field and click Save.
Click Save on Process Task.
Note:
During a provisioning operation, you can either add or remove values of multivalued fields. You cannot update these values.
Note:
You must perform this procedure only if you are using Oracle Identity Manager release 9.0.1.3.
In Oracle Identity Manager release 9.0.1.3, user accounts that are disabled or enabled are not reconciled correctly into Oracle Identity Manager during nontrusted (target resource) reconciliation. If you are using this release of Oracle Identity Manager, then you must perform the following procedure to resolve this problem:
Log in to the Design Console.
Create the userAccountControl
reconciliation field in the AD User
resource object as follows:
Expand the Resource Management folder.
Open the Resource Objects form.
Click the Search button.
From the list of resource objects that is displayed, double-click AD User.
On the Object Reconciliation tab, select the Reconciliation Fields tab.
On the Reconciliation Fields tab, click Add Field and then enter the following values:
Field Name: Enter userAccountControl.
Field Type: Select String.
Required: Select this check box.
Save the changes.
Map the userAccountControl
reconciliation field to the OIM_OBJECT_STATUS
field as follows:
Expand the Process Management folder.
Open the Process Definition form.
Click the Search button.
From the list of process definitions that is displayed, double-click the AD User process definition.
On the Reconciliation Field Mappings tab, double-click userAccountControl and then enter the following values:
Field Name: Select userAccountControl.
Field Type: Select String.
Process Data Field: Enter OIM_OBJECT_STATUS.
Save the changes.
Note:
Perform this procedure only if you want to configure the connector for multiple installations of Microsoft Active Directory.
You may want to configure the connector for multiple installations of Microsoft Active Directory. The following example illustrates this requirement:
The Tokyo, London, and New York offices of Acme Multinational Inc. have their own installations of Microsoft Active Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Microsoft Active Directory.
To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of Microsoft Active Directory.
To configure the connector for multiple installations of the target system:
Create and configure one IT resource for each target system installation.
The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.
Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that you only need to modify the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.
You can designate either a single or multiple installations of Microsoft Active Directory as trusted sources.
If required, modify the fields to be reconciled for the Xellerate User resource object.
See Also:
Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure
When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Microsoft Active Directory installation to which you want to provision the user.
The connector for Microsoft Active Directory performs the following functions:
Updates Microsoft Active Directory with user account attributes (except for passwords) changed in Oracle Identity Manager
Updates Oracle Identity Manager with user account attributes (except for passwords) changed in Microsoft Active Directory
Updates Microsoft Active Directory with passwords changed in Oracle Identity Manager (requires LDAP over SSL)
The password synchronization module for Microsoft Active Directory updates Oracle Identity Manager with passwords changed in Microsoft Active Directory.
The connector is deployed on the Oracle Identity Manager server, and the password synchronization module is deployed on the Microsoft Active Directory server. When they are deployed together (along with LDAP over SSL), the connector and the password synchronization module provide full, bidirectional synchronization of all user attributes, including passwords.
See Also:
Oracle Identity Manager Password Synchronization Module for Microsoft Active Directory Installation and Configuration Guide
The instructions in this section are aimed at solving a problem that was observed in release 9.0.3 of the connector and password synchronization module.
You must create a custom attribute in Oracle Identity Manager to act as a flag for tracking password changes initiated by Microsoft Active Directory.
To create a custom attribute (user-defined field) in Oracle Identity Manager:
See Also:
Oracle Identity Manager Design Console Guide
Open the Design Console.
Expand the Administration folder.
Select User Defined Field Definition.
Click the Search icon.
Select USR
from the results that are displayed, and then click Add.
In the User Defined Fields dialog box, enter the following values:
Label: Enter a label for the field. For example: PWDCHANGEDINDICATION
Field Size: 20
The user-defined field that you create will hold either ADSYNC_TRUE
or ADSYNC_FALSE
.
DataType: String
Column Name: Enter a column name for the field.
It is recommended that you enter the same value as that you enter in the Label field. For example: PWDCHANGEDINDICATION
Oracle Identity Manager automatically appends USR_UDF_
to the column name that you specify. So, for example, if you specify PWDCHANGEDINDICATION
as the column name, then the actual column name is changed to USR_UDF_PWDCHANGEDINDICATION
.
Click Save.
While performing the procedure described in the "Defining IT Resources" section, you must specify values for the following parameters:
AD Sync installed (yes/no)
If you are going to install and use the Microsoft Active Directory Password Synchronization module, then specify yes
as the value of this parameter. Otherwise, specify no
. The default value is no
.
OIM User UDF
Specify the name of the user-defined field that you create in Oracle Identity Manager.
You must specify a value for this parameter only if you specify yes
as the value of the AD Sync installed (yes/no)
parameter.
Note: You must specify the column name and not the field label that you enter while adding the custom attribute in Oracle Identity Manager. For example, if you enter the label PWDCHANGEDINDICATION
, then the column name that you must specify is USR_UDF_PWDCHANGEDINDICATION
. Oracle Identity Manager adds the USR_UDF_
prefix while creating a column.
This section describes the sequence of events that take place during a password change operation.
When you change the password on Oracle Identity Manager:
Oracle Identity Manager sets the value of the USR_UDF_PWDCHANGEDINDICATION
field to 1.
The new password is propagated to the target system.
The password synchronization module detects the password change.
The password synchronization module checks the value of the USR_UDF_PWDCHANGEDINDICATION
field, sets the field to 0, and then performs no further action.
Note:
When you perform a Create User provisioning operation, the value of the field is NULL. The password synchronization module treats the NULL value the same as it would treat a value of 1.
When you change the password on the target system:
The password synchronization module sets the value of the USR_UDF_PWDCHANGEDINDICATION
field to 1.
The new password is set in the USR table.
Oracle Identity Manager detects the password change.
Oracle Identity Manager checks the value of the USR_UDF_PWDCHANGEDINDICATION
field, sets the field to 0, and then performs no further action.
After you install the Microsoft Active Directory connector, you must make changes in the xlconfig.xml
of the password synchronization to reflect the properties of the connector.
This is part of the installation procedure for the password synchronization module. It is described in the "Configuring the xlconfig.xml File After Installing the Connector" section of Oracle Identity Manager Password Synchronization Module for Microsoft Active Directory Installation and Configuration Guide.