3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Configuring Reconciliation

• Configuring Provisioning

• Adding a Custom Object Class for Provisioning

• Adding New Multivalued Fields for Target Resource Reconciliation

• Adding New Multivalued Fields for Provisioning

• Configuring the Connector for Oracle Identity Manager Release 9.0.1.3

• Configuring the Connector for Multiple Installations of the Target System

• Configuring the Connector and Password Synchronization Module

3.1 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Configuring Trusted Source Reconciliation

• Partial Reconciliation

• Batched Reconciliation

• Configuring the Reconciliation Scheduled Tasks

• Enabling Reconciliation in Oracle Identity Manager Release 9.0.1

• Adding Custom Attributes for Reconciliation

3.1.1 Configuring Trusted Source Reconciliation

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

• For each newly created user on the target system, an OIM User is created.

• Updates made to each user on the target system are propagated to the corresponding OIM User.

If you designate the target system as a target resource, then during a reconciliation run:

• For each account created on the target system, a resource is assigned to the corresponding OIM User.

• Updates made to each account on the target system are propagated to the corresponding resource.

Note:

You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.

To import the XML file for trusted source reconciliation:

Note:

Only one target system can be designated as a trusted source. If you import the xliADXLResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the xliADXLResourceObject.xml file, which is in the OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

After you import the XML file for trusted source reconciliation, you must set the value of the TrustedSource reconciliation scheduled task attribute to yes. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.

3.1.2 Partial Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by specifying the queries that must be applied during reconciliation. You specify these queries as the values of the following scheduled task attributes:

• CustomizedReconQuery Attribute

• CustomizedGroupReconQuery Attribute

3.1.2.1 CustomizedReconQuery Attribute

For this connector, you create a filter by specifying values for the CustomizedReconQuery attribute while performing the procedure described in the "Defining IT Resources" section.

The following table lists the Microsoft Active Directory attributes, and the corresponding Oracle Identity Manager attributes, that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery attribute.

Oracle Identity Manager Attribute	Microsoft Active Directory Attribute
User ID	sAMAccountName
First Name	givenName
Last Name	sn
Middle Name	initials
Full Name	displayName
Groups	memberOf

The CustomizedReconQuery attribute is used in conjunction with the isNativeQuery attribute. You use the isNativeQuery attribute to specify whether or not the query condition is in the native format.

The following are sample CustomizedReconQuery attribute values when the isNativeQuery attribute is set to yes:

Note:

These queries are in the native format.

• (&(objectclass=user)(givenName=John))

  With this query condition, records of users belonging to the user object class and whose first name is John are reconciled.

• (&(objectClass=user)(memberOf=CN=grp123,CN=Users,DC=corp,DC=com))

  With this query condition, records of all users who belong to the user object class and the grp123 group are reconciled.

• (&(&(objectClass=user)(memberOf=CN=group1,CN=Users,DC=corp,DC=com))(givenName=Richard))

  With this query condition, records of all users who belong to the group1 group and user object class and whose first name is Richard are reconciled.

• (&(objectclass=user)(sn=Roe))

  With this query condition, records of all users who belong to the user object class and whose last name is Roe are reconciled.

The following are sample CustomizedReconQuery attribute values when the isNativeQuery attribute is set to no:

• objectClass=user&givenName=John&sn=Doe

  With this query condition, records of users who belong to the user object class and whose first name is John and last name is Doe are reconciled.

• givenName=John|sn=Doe

  With this query condition, records of users who meet either of the following conditions are reconciled:

  • First name is John.

  • Last name is Doe.

• objectClass=user&memberOf=CN=grp123,CN=Users,DC=Globalsv,DC=com

  With this query condition, records of all users who belong to the grp123 group and the user object class are reconciled.

If the value of the CustomizedReconQuery attribute is [NONE], then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

The following are guidelines to be followed while specifying a value for the CustomizedReconQuery parameter when the isNativeQuery attribute is set to no (that is, when you want to use a non-native format query):

• For the Microsoft Active Directory attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.

• You must not include unnecessary blank spaces between operators and values in the query condition.

  A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

  givenname=John&sn=Doe

  givenname= John&sn= Doe

  In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

• You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

  Note:

  An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

• You must enclose the query condition in parentheses, for example:

  (&(objectClass=user)(sn!=Doe))

3.1.2.2 CustomizedGroupReconQuery Attribute

You use the CustomizedGroupReconQuery attribute to specify the groups that must be reconciled. The value of this attribute is an LDAP query that you specify.

You can use any one or a combination of the following group fields to create the LDAP query:

• name

• instanceType

• groupType

• objectSid

• sAMAccountType

• member

• uSNCreated

• uSNChanged

• objectClass

• distinguishedName

• objectCategory

• sAMAccountName

• objectGUID

• cn

• whenCreated

• whenChanged

The following are sample LDAP queries:

Note:

As shown in these samples, individual conditions must be enclosed in parentheses. For example: (groupType=2)

Only queries in native LDAP format are supported.

• (&(|(groupType=2)(name=MyGrp))(objectClass=group))

• (&(&(groupType=2)(name=MyGrp))(objectClass=group))

• (&(objectclass=group)(name=MyGrp))

• (|(groupType=2)(name=MyGrp))

3.1.3 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:

• StartRecord: Use this attribute to specify the record number from which batched reconciliation must begin.

• BatchSize: Use this attribute to specify the number of records that must be included in each batch.

• NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. If you do not want to use batched reconciliation, specify All Available as the value of this attribute.

  Note:

  If you specify All Available as the value of this attribute, then the values of the StartRecord and BatchSize attributes are ignored.

You specify values for these attributes by following the instructions described in the "User Reconciliation Scheduled Task" section.

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then refer to the log file for information about the batch at which reconciliation has failed.

3.1.4 Configuring the Reconciliation Scheduled Tasks

When you perform the procedure described in the "Importing the Connector XML Files" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

5. For the first scheduled task, enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

11. Repeat Steps 5 through 10 to create the second scheduled task.

3.1.4.1 Specifying Values for the Scheduled Task Attributes

This section provides information about the attribute values to be specified for the following scheduled tasks:

• Lookup Fields Reconciliation Scheduled Task

• User Reconciliation Scheduled Task

3.1.4.1.1 Lookup Fields Reconciliation Scheduled Task

The following lookup field reconciliation scheduled tasks have the same attributes:

• ADGroupLookupReconTask

• AD Security Group Global Lookup Recon

• ADOrganizationLookupReconTask

These attributes are described in the following table:

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
Server	IT resource instance name of the Microsoft Active Directory server	ADITResource
LookupCodeName	Name of the lookup definition	For group lookup reconciliation: Lookup.ADReconliation.GroupLookup For security group lookup reconciliation: Lookup.AD.PrimaryGroupList For organization lookup reconciliation: Lookup.ADReconciliation.Organization
AttrNameForDecodeValueInLookup	Decode value of the attribute name for lookup reconciliation	For group lookup reconciliation: cn For security group lookup reconciliation: cn For organization lookup reconciliation: distinguishedName
AttrNameForCodeValueInLookup	Code Key value of the attribute name for lookup reconciliation	For group lookup reconciliation: objectGUID For security group lookup reconciliation: primaryGroupToken For organization lookup reconciliation: distinguishedName
FilterForLookupRecon	Search filter for lookup reconciliation	For group lookup reconciliation: (objectclass=group) For security group lookup reconciliation: (&(groupType=-2147483646)(objectclass=group)) For organization lookup reconciliation: (objectclass=OrganizationalUnit)
OverWriteLookup	Enter yes as the value of this attribute if you want the following events to occur during lookup field reconciliation: Existing values of the Oracle Identity Manager lookup definition are deleted. All the values in the target system lookup field are copied into the Oracle Identity Manager lookup definition. Enter no as the value of this attribute if you want the following events to occur during lookup field reconciliation: Existing values in the Oracle Identity Manager lookup definition are updated with changes made to the target system lookup field. New values in the target system lookup field are copied into the Oracle Identity Manager lookup definition. Default value: yes	yes

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

3.1.4.1.2 User Reconciliation Scheduled Task

The following table describes attributes of these user reconciliation scheduled tasks:

• ActiveDirectoryReconTask

• TrustedADReconTask

Note:

• Most of the attributes are common to both scheduled tasks.

• See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about these attributes.

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Default/Sample Value
DeleteRecon	Specifies whether or not Delete reconciliation is enabled The value can be yes or no. If you enable Delete reconciliation, then you must ensure that the Server attribute points to the Microsoft Active Directory root context where information about deleted users is stored. You must specify a value for this attribute.	yes
FieldLookupCode	Name of the lookup definition that is used for custom reconciliation See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute.	Lookup.ADReconciliation.FieldMap
MaintainHierarchy	Specifies whether or not organization hierarchy must be maintained in Microsoft Active Directory See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. The default value is no. If required, you can set it to yes. Note: This attribute is used only in the TrustedADReconTask scheduled task.	no
XellerateObject	Name of the OIM User resource object in Oracle Identity Manager on which trusted source reconciliation is to be performed If you want trusted source reconciliation to be performed, then change the value to Xellerate User. Otherwise, change the value to no. You must specify a value for this attribute. Note: This attribute is used only in the TrustedADReconTask scheduled task.	'
XellerateOrg	Oracle Identity Manager organization in which reconciled users are to be created The name of this organization is used by default unless either the MaintainHierarchy attribute is set. The default value of this attribute is Xellerate Users. Do not change the default value. Note: This attribute is used only in the TrustedADReconTask scheduled task.	Xellerate Users
Object	Name of the AD User resource object in Oracle Identity Manager on which reconciliation is performed The default value is AD User. You must not change this value. Note: This attribute is used only in the ActiveDirectoryReconTask scheduled task.	AD User
Server	Name of the IT resource representing the Microsoft Active Directory server You must specify a value for this attribute.	ADITResource
TransformLookupCode	Lookup code used for the transformation class map stored in the lookup tables See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. This attribute is valid only when the UseTransformMapping attribute is set to yes.	Lookup.ADReconciliation.TransformationMap
UseTransformMapping	Specifies whether or not transform mappings accessed by using the TransformLookupCode attribute must be used The value can be yes or no.	yes
MultiValueAttributes	Comma-delimited list of all the multivalued Microsoft Active Directory attributes that must be reconciled For AD Group reconciliation, enter member. See Appendix B, "Attributes of the Reconciliation Scheduled Task" for more information about this attribute. You must specify a value for this attribute.	member
GroupObject	For target resource reconciliation: Name of the AD Group resource object in Oracle Identity Manager on which group reconciliation is to be performed If you want AD Group reconciliation to be performed, then change the value to AD Group. Otherwise, change the value to no. You must specify a value for this attribute. The value can be yes or no. For trusted source reconciliation: Accept the default value, no.	no
LastTimeStampAttrName	The attribute holds the name of the IT resource time-stamp parameter that is updated after this scheduled task is run. For example, if the IT resource time-stamp parameter is Last Modified TimeStampTrustedAD, then specify Last Modified TimeStampTrustedAD as the value of this attribute.	Last Modified Time Stamp TrustedAD
CustomizedReconQuery	Specify the LDAP query that you want to use to customize reconciliation. The reconciliation engine uses this LDAP query to filter the records that must be fetched from the target system. If you do not want to fetch records based on the filter provided as the value of the CustomizedReconQuery attribute, then specify [NONE] as the value. See "Partial Reconciliation" for more information about this attribute. Sample values: If isNativeQuery is set to no: sn=last&givenName=first If isNativeQuery is set to yes: (&(sn=last)(given=first))	[NONE]
isNativeQuery	Enter yes to specify that the value of the CustomizedReconQuery attribute is in native LDAP format. Enter no to specify that the value of the CustomizedReconQuery attribute is in native LDAP format.	yes
StartRecord	Specifies the start record for batching process The default value is 0. This attribute is also discussed in the "Batched Reconciliation" section.	1
BatchSize	Specifies how many records must be there in a batch The default value is 0. This attribute is also discussed in the "Batched Reconciliation" section.	3
NumberOfBatches	Specifies the number of batches that must be reconciled If you specify the default value (All Available), then batched reconciliation is not performed. This attribute is also discussed in the "Batched Reconciliation" section.	Default value: All Available (for reconciling all the users) Sample value: 50
LookupForPrimaryGroup	Name of the lookup definition that is used for primary group reconciliation This attribute is used only when the isReconPrimaryGroups attribute is set to yes. Note: This attribute is used only in the ActiveDirectoryReconTask scheduled task.	Lookup.AD.PrimaryGroupList
isReconPrimaryGroups	Specifies whether or not primary groups accessed by using the LookupForPrimaryGroup attribute must be used Note: This attribute is used only in the ActiveDirectoryReconTask scheduled task.	yes
UseOrgNameForGroupRecon	This attribute is used only during group reconciliation. You can set this attribute to one of the following values: If you want each target system group to be reconciled into an organization of its own, then set the value of this attribute to No. If you want all target system groups to be reconciled into a single organization, then set the value of this attribute to Yes.	No
OrganizationNameForGroupRecon	This attribute is used only during group reconciliation. If you want each target system group to be reconciled into an organization of its own, then accept the default value of this attribute ([NONE]). Note: In addition, set the AD Group Recon reconciliation rule to the following: ORGANIZATION_NAME (from organization data) <equals> USER_ID (from the reconciliation event) See Oracle Identity Manager Design Console Guide for information about modifying reconciliation rules. If you want all target system groups to be reconciled into a single organization, then set the value of this attribute to the name of the Oracle Identity Manager organization under which groups must be created. Note: In addition, set the AD Group Recon reconciliation rule to the following: ORGANIZATION_NAME (from organization data) <equals> ORGANIZATION_NAME (from the reconciliation event) See Oracle Identity Manager Design Console Guide for information about modifying reconciliation rules.	[NONE]
CustomizedGroupReconQuery	Specifies the LDAP query that you want to use for determining groups that must be reconciled See "Partial Reconciliation" for more information about this attribute. Note: Only queries in native LDAP format are supported. Sample values: (&(|(groupType=2)(name=MyGrp))(objectClass=group)) (&(&(groupType=2)(name=MyGrp))(objectClass=group)) (&(objectclass=group)(name=MyGrp)) (|(groupType=2)(name=MyGrp))	[NONE]
GroupMultiValueAttributes	Specifies the comma-separated list of multivalued group attributes that you want to reconcile Note: This attribute is specific to the ActiveDirectoryReconTask scheduled task. Sample value: member	[NONE]
EnableRange	Enter yes if you want to enable the reconciliation of user and group records that contain more than 1000 entries for the multivalued attributes. Otherwise, enter no.	no

After you specify values for these scheduled task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

3.1.5 Enabling Reconciliation in Oracle Identity Manager Release 9.0.1

If you are using Oracle Identity Manager release 9.0.1, then you must perform the following procedure to enable reconciliation:

See Also:

Oracle Identity Manager Design Console Guide

1. Open the Design Console.

2. Expand the Process Management folder.

3. Open the Process Definition form for the AD User.

4. Click the Reconciliation Field Mappings tab.

5. For each field that is of the IT resource type:

   1. Double-click the field to open the Edit Reconciliation Field Mapping window for that field.

   2. Deselect Key Field for Reconciliation Matching.

3.1.6 Adding Custom Attributes for Reconciliation

Note:

This section describes an optional procedure. You need not perform this procedure if you do not want to add new attributes for provisioning.

By default, the attributes listed in the "Reconciliation Module" section are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can map additional attributes for reconciliation.

Before you add a new field for target resource reconciliation, you must first determine the target system name of the field as follows:

1. Install the target system schema, if it is not already installed.

   Refer to the Microsoft Web site for information about installing the schema.

   Note:

   The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.

2. Open the target system schema.

3. Expand the Console Root folder, expand the target system schema, and then double-click Classes.

4. Right-click user, and then select Properties.

   The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system.

5. Note down the name of the field that you want to add, and then click Cancel.

   For example, if you want to add the Employee ID field for reconciliation, then note down employeeID.

To add a new field for target resource reconciliation:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. Add the new field on the process form as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Search for and open the UD_ADUSER process form.

   4. Click Create New Version, and then click Add.

   5. Enter the details of the field.

      For example, if you are adding the Employee ID field, enter UD_ADUSER_EMPLOYEE_ID in the Name field and then enter other details such as Variable Type, Length, Field Label, and Field Type.

   6. Click Save, and then click Make Version Active.

3. Add the new field to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the AD User resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. Enter the details of the field.

      For example, enter Employee ID in the Field Name field and select String from the Field Type list.

      Later in this procedure, you will enter the field name as the Decode value of the entry that you create in the lookup definition for reconciliation.

   6. Click Save.

4. Create a reconciliation field mapping for the new field in the provisioning process as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the AD User provisioning process.

   4. On the Reconciliation Field Mappings tab of the AD User provisioning process, click Add Field Map.

   5. In the Field Name field, select the value for the field that you want to add.

   6. Double-click the Process Data Field field, and then select UD_ADUSER_EMPLOYEE_ID.

   7. Click Save.

5. Create an entry for the field in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Open Lookup.ADReconciliation.FieldMap.

   4. Click Add and enter the Code Key and Decode values for the field. The Code Key value must be the name of the field on the target system, which you determined at the start of this procedure. The Decode value is the name that you provide for the reconciliation field in Step 3.e.

      For example, enter employeeID in the Code Key field and then enter Employee ID in the Decode field.

   5. Click Save.

3.2 Configuring Provisioning

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

Note:

You must perform the procedure described in this section if you want to use the provisioning features of Oracle Identity Manager for this target system.

Configuring provisioning involves compiling the adapters that are used to implement provisioning functions.

See Also:

The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector

The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

• Chk Process Parent Org

• AD Move OU

• AD Get USNChanged

• AD Get OU USNCR

• Update AD Group Details

• Get Group ObjectGUID Created

• AD Delete Group

• AD Create Group

• Prepopulate AD Group Name

• check process organization

• AD Set User Password

• AD Set User CN Standard

• AD Set Account Exp Date

• AD remove User From Group

• AD Pwd Never Expires

• AD Must Change PWD

• AD Move User

• AD Get ObjectGUID

• AD Enable User

• AD Disable User

• AD Delete User

• AD Create User

• AD Change Attribute

• AD Change User Password

• AD Add User To Group

• AD Prepopulate User Last Name

• AD Prepopulate User Login

• AD Prepopulate User Full Name

• AD Prepopulate User Middle Name

• AD Prepopulate User First Name

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

3.2.1 Adding Custom Attributes for Provisioning

Note:

This section describes an optional procedure. You need not perform this procedure if you do not want to add new attributes for provisioning.

By default, the attributes listed in the "Provisioning Module" section are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

Before you add a new field for provisioning, you must first determine the target system name of the field as follows:

1. Install the target system schema, if it is not already installed.

   Refer to the Microsoft Web site for information about installing the schema.

   Note:

   The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.

2. Open the target system schema.

3. Expand the Console Root folder, expand the target system schema, and then double-click Classes.

4. Right-click user, and then select Properties.

   The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system.

5. Note down the name of the field that you want to add, and then click Cancel.

   For example, if you want to add the Employee ID field for reconciliation, then note down employeeID.

To add a new field for provisioning:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. Add the new field on the process form as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Search for and open the UD_ADUSER process form.

   4. Click Create New Version, and then click Add.

   5. Enter the details of the field.

      For example, if you are adding the Employee ID field, enter UD_ADUSER_EMPLOYEE_ID in the Name field, and then enter the rest of the details of this field.

   6. Click Save and then click Make Version Active.

3. Create an entry for the field in the lookup definition for provisioning as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. If the field that you want to add is not an Environment, Remote Control, or Sessions field, then search for and open the AtMap.AD lookup definition.

   4. Cick Add and then enter the Code Key and Decode values for the field. The Decode value must be the name of the field on the target system, which you determined at the start of this procedure.

      For example, enter UD_ADUSER_EMPLOYEE_ID in the Code Key field and then enter employeeID in the Decode field.

Enabling Update of New Fields for Provisioning

After you add a field for provisioning, you must enable update operations on the field. If you do not perform this procedure, then you will not be able to modify the value of the field after you set a value for it during the Create User provisioning operation.

To enable the update of a new field for provisioning:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. In the provisioning process, add a new task for updating the field as follows:

   1. Expand Process Management.

   2. Double-click Process Definition and open the AD User provisioning process.

   3. Click Add and enter the task name and the task description.

   4. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

   5. Click Save.

3. In the AD User provisioning process, select the adapter name in the Handler Type section as follows:

   1. Go to the Integration tab, click Add and select Adapter.

   2. In the Handler Type section, select adpADCSCHANGEATTRIBUTE.

   3. Click Save.

4. Double-click the Variable Name field to get the value and map the adapter variable to Response Code.

5. Double-click the Variable Name field to get the value and map the adapter variable to a process data field.

6. Double-click the Variable Name field to get the value and map the adapter variable to a process data field.

7. Double-click the Variable Name field to get the value and map the adapter variable with the corresponding field on the target system. For example, enter employeeID for updating Employee ID.

8. Click Save.

3.3 Adding a Custom Object Class for Provisioning

By default, newly created users on the target system are assigned to the user object class. The user object class is the value of the LdapUserObjectClass field in the Atmap.AD lookup definition. If you want to assign new users to additional object classes, then enter the list of object classes in the Decode column for this field. Use the vertical bar (|) to separate the object class names in the value that you specify.

The following are sample values for the LdapUserObjectClass entry:

• user

• coperson

• user|coperson

In the third sample value, the vertical bar (|) is used as the delimiting character.

This parameter is used only during provisioning.

Note:

• When you create an object class, set the user object class as the parent object class.

• You can provision users with user-defined object classes in addition to the user object class. However you cannot provision the user with object classes such as contact and computer because they are not treated as user objects by Microsoft Active Directory.

3.4 Adding New Multivalued Fields for Target Resource Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want to add new multivalued fields for reconciliation.

You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.

If required, you can add new multivalued fields for target resource reconciliation.

To add a new multivalued field for target resource reconciliation:

1. Log in to the Oracle Identity Manager Design Console.

2. Create a form for the multivalued field as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Create a form by specifying a table name and description, and then click Save.

   4. Click Add and enter the details of the field.

   5. Click Save and then click Make Version Active.

3. Add the form created for the multivalued field as a child form of the process form as follows:

   1. Search for and open the UD_ADUSER or UD_ADGROUP process form.

   2. Click Create New Version.

   3. Click the Child Table(s) tab.

   4. Click Assign.

   5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.

   6. Click Save and then click Make Version Active.

4. Add the new field to the list of reconciliation fields in the resource object as follows:

   1. Expand Resource Management.

   2. Double-click Resource Objects.

   3. Search for and open the AD User or AD Group resource object.

   4. On the Object Reconciliation tab, click Add Field.

   5. In the Add Reconciliation Fields dialog box, enter the details of the field.

      For example, enter carLicense in the Field Name field and select Multi Valued Attribute from the Field Type list.

   6. Click Save and then close the dialog box.

   7. Right-click the newly created field.

   8. Select Define Property Fields.

   9. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.

      For example, enter carLicense in the Field Name field and select String from the Field Type list.

   10. Click Save, and then close the dialog box.

5. Create a reconciliation field mapping for the new field as follows:

   1. Expand Process Management.

   2. Double-click Process Definition.

   3. Search for and open the AD User or AD Group process definition.

   4. On the Reconciliation Field Mappings tab of the AD User or AD Group process definition, click Add Table Map.

   5. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.

   6. Right-click the newly created field, and select Define Property Field Map.

   7. In the Field Name field, select the value for the field that you want to add.

   8. Double-click the Process Data Field field, and then select the column that you want to add, for example, UD_CAR_LICENSE.

   9. Select Key Field for Reconciliation Field Matching and click Save.

6. Create an entry for the field in the lookup definition for reconciliation as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the Lookup.ADReconciliation.FieldMap lookup definition.

   4. Cick Add and enter the Code Key and Decode values for the field, and then Click Save. The Code Key value must be the name of the attribute field on the target system.

      For example, enter carLicense in the Code Key field and then enter carLicense in the Decode field.

3.5 Adding New Multivalued Fields for Provisioning

Note:

This section describes an optional procedure. Perform this procedure only if you want to add new multivalued fields for reconciliation.

To add new multivalued fields for provisioning:

Note:

Before starting the following procedure, perform Steps 1 through 3 as described in the "Adding New Multivalued Fields for Target Resource Reconciliation" section. If these steps have been performed while adding new multivalued fields for target resource reconciliation, then you need not repeat the steps.

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Process Management.

3. In the process definition, add the task for provisioning multivalued attributes as follows:

   1. Double-click Process Definition.

   2. Search for and open the AD User or AD Group process definition.

   3. Click Add and enter the task name and the description.

   4. In the Task Properties section, select the following:

      • Conditional

      • Required for Completion

      • Retry Count

      • Allow Multiple Instances

      • Child table name from the Child Table list

      • Insert, if you want to add the data, from the Trigger Type list

      • Delete, if you want to remove the data, from the Trigger Type list.

   5. Click Save.

4. Select the adapter as follows:

   1. On the Integration tab in the AD User or AD Group provisioning Process, click Add and then select Adapter. From the list of adapters:

      • If you want to add multivalued data, then select adpADCSAddMultiAttributeData and click Save.

      • If you want to remove multivalued data, then select adpADCSRemoveMultiAttributeData and click Save.

5. Double-click and map the adapter variable to a process data field and click Save.

6. Double-click and map the adapter variable to a literal and specify the name of the attribute to be updated in the Literal Value field, and then click Save.

7. Double-click and map the adapter variable to a process data field of the newly created form. If you are removing the attribute, then select Old Value and click Save.

8. Double-click and map the adapter variable to a process data field and click Save.

9. Double-click and map the adapter variable to a response code field and click Save.

10. Click Save on Process Task.

    Note:

    During a provisioning operation, you can either add or remove values of multivalued fields. You cannot update these values.

3.6 Configuring the Connector for Oracle Identity Manager Release 9.0.1.3

Note:

You must perform this procedure only if you are using Oracle Identity Manager release 9.0.1.3.

In Oracle Identity Manager release 9.0.1.3, user accounts that are disabled or enabled are not reconciled correctly into Oracle Identity Manager during nontrusted (target resource) reconciliation. If you are using this release of Oracle Identity Manager, then you must perform the following procedure to resolve this problem:

1. Log in to the Design Console.

2. Create the userAccountControl reconciliation field in the AD User resource object as follows:

   1. Expand the Resource Management folder.

   2. Open the Resource Objects form.

   3. Click the Search button.

   4. From the list of resource objects that is displayed, double-click AD User.

   5. On the Object Reconciliation tab, select the Reconciliation Fields tab.

   6. On the Reconciliation Fields tab, click Add Field and then enter the following values:

      • Field Name: Enter userAccountControl.

      • Field Type: Select String.

      • Required: Select this check box.

   7. Save the changes.

3. Map the userAccountControl reconciliation field to the OIM_OBJECT_STATUS field as follows:

   1. Expand the Process Management folder.

   2. Open the Process Definition form.

   3. Click the Search button.

   4. From the list of process definitions that is displayed, double-click the AD User process definition.

   5. On the Reconciliation Field Mappings tab, double-click userAccountControl and then enter the following values:

      • Field Name: Select userAccountControl.

      • Field Type: Select String.

      • Process Data Field: Enter OIM_OBJECT_STATUS.

   6. Save the changes.

3.7 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of Microsoft Active Directory.

You may want to configure the connector for multiple installations of Microsoft Active Directory. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Acme Multinational Inc. have their own installations of Microsoft Active Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Microsoft Active Directory.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of Microsoft Active Directory.

To configure the connector for multiple installations of the target system:

1. Create and configure one IT resource for each target system installation.

   The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.

2. Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that you only need to modify the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.

   You can designate either a single or multiple installations of Microsoft Active Directory as trusted sources.

3. If required, modify the fields to be reconciled for the Xellerate User resource object.

See Also:

Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Microsoft Active Directory installation to which you want to provision the user.

3.8 Configuring the Connector and Password Synchronization Module

The connector for Microsoft Active Directory performs the following functions:

• Updates Microsoft Active Directory with user account attributes (except for passwords) changed in Oracle Identity Manager

• Updates Oracle Identity Manager with user account attributes (except for passwords) changed in Microsoft Active Directory

• Updates Microsoft Active Directory with passwords changed in Oracle Identity Manager (requires LDAP over SSL)

The password synchronization module for Microsoft Active Directory updates Oracle Identity Manager with passwords changed in Microsoft Active Directory.

The connector is deployed on the Oracle Identity Manager server, and the password synchronization module is deployed on the Microsoft Active Directory server. When they are deployed together (along with LDAP over SSL), the connector and the password synchronization module provide full, bidirectional synchronization of all user attributes, including passwords.

See Also:

Oracle Identity Manager Password Synchronization Module for Microsoft Active Directory Installation and Configuration Guide

The instructions in this section are aimed at solving a problem that was observed in release 9.0.3 of the connector and password synchronization module.

• Creating a Custom Attribute in Oracle Identity Manager

• Specifying Values for IT Resource Parameters

• Sequence of Events That Occur During a Password Change

• Configuring the xlconfig.xml File for the Password Synchronization Module

3.8.1 Creating a Custom Attribute in Oracle Identity Manager

You must create a custom attribute in Oracle Identity Manager to act as a flag for tracking password changes initiated by Microsoft Active Directory.

To create a custom attribute (user-defined field) in Oracle Identity Manager:

See Also:

Oracle Identity Manager Design Console Guide

1. Open the Design Console.

2. Expand the Administration folder.

3. Select User Defined Field Definition.

4. Click the Search icon.

5. Select USR from the results that are displayed, and then click Add.

6. In the User Defined Fields dialog box, enter the following values:

   • Label: Enter a label for the field. For example: PWDCHANGEDINDICATION

   • Field Size: 20

     The user-defined field that you create will hold either ADSYNC_TRUE or ADSYNC_FALSE.

   • DataType: String

   • Column Name: Enter a column name for the field.

     It is recommended that you enter the same value as that you enter in the Label field. For example: PWDCHANGEDINDICATION

     Oracle Identity Manager automatically appends USR_UDF_ to the column name that you specify. So, for example, if you specify PWDCHANGEDINDICATION as the column name, then the actual column name is changed to USR_UDF_PWDCHANGEDINDICATION.

7. Click Save.

3.8.2 Specifying Values for IT Resource Parameters

While performing the procedure described in the "Defining IT Resources" section, you must specify values for the following parameters:

• AD Sync installed (yes/no)

  If you are going to install and use the Microsoft Active Directory Password Synchronization module, then specify yes as the value of this parameter. Otherwise, specify no. The default value is no.

• OIM User UDF

  Specify the name of the user-defined field that you create in Oracle Identity Manager.

  You must specify a value for this parameter only if you specify yes as the value of the AD Sync installed (yes/no) parameter.

  Note: You must specify the column name and not the field label that you enter while adding the custom attribute in Oracle Identity Manager. For example, if you enter the label PWDCHANGEDINDICATION, then the column name that you must specify is USR_UDF_PWDCHANGEDINDICATION. Oracle Identity Manager adds the USR_UDF_ prefix while creating a column.

3.8.3 Sequence of Events That Occur During a Password Change

This section describes the sequence of events that take place during a password change operation.

When you change the password on Oracle Identity Manager:

1. Oracle Identity Manager sets the value of the USR_UDF_PWDCHANGEDINDICATION field to 1.

2. The new password is propagated to the target system.

3. The password synchronization module detects the password change.

4. The password synchronization module checks the value of the USR_UDF_PWDCHANGEDINDICATION field, sets the field to 0, and then performs no further action.

   Note:

   When you perform a Create User provisioning operation, the value of the field is NULL. The password synchronization module treats the NULL value the same as it would treat a value of 1.

When you change the password on the target system:

1. The password synchronization module sets the value of the USR_UDF_PWDCHANGEDINDICATION field to 1.

2. The new password is set in the USR table.

3. Oracle Identity Manager detects the password change.

4. Oracle Identity Manager checks the value of the USR_UDF_PWDCHANGEDINDICATION field, sets the field to 0, and then performs no further action.

3.8.4 Configuring the xlconfig.xml File for the Password Synchronization Module

After you install the Microsoft Active Directory connector, you must make changes in the xlconfig.xml of the password synchronization to reflect the properties of the connector.

This is part of the installation procedure for the password synchronization module. It is described in the "Configuring the xlconfig.xml File After Installing the Connector" section of Oracle Identity Manager Password Synchronization Module for Microsoft Active Directory Installation and Configuration Guide.