Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with Microsoft Active Directory.
Note:
Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.
This chapter contains the following sections:
Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.
At some places in this guide, Microsoft Active Directory has been referred to as the target system.
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
| Item | Requirement |
|---|---|
|
Oracle Identity Manager |
Oracle Identity Manager Release 9.1.0.1 and any later BP in this release track Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector supports. |
|
Microsoft Windows Server 2003 Active Directory |
|
|
Microsoft Windows Server 2003 with SP1 and later service packs On a Microsoft Windows 2003 server on which Service Pack 1 has not been installed, you might come across the "WILL_NOT_PERFORM" error message during the password change operation. You can access information about one of the causes of and a solution for this error on the Microsoft Knowledge Base Web site at |
|
|
Other software |
Certificate Services |
|
|
|
|
Target system user account |
Microsoft Windows 2003 Server (Domain Controller) administrator You provide the credentials of this user account while performing the procedure in Section 2.4.1, "Defining IT Resources." If the specified user account is not used, then an authentication error message is displayed. |
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
If you are using an Oracle Identity Manager release that is 9.1.0.1 or later and earlier than Oracle Identity Manager Release 9.1.0.2, then you must use the 9.0.4.x version of this connector.
If you are using Oracle Identity Manager Release 9.1.0.2 or later and earlier than, Oracle Identity Manager 11g Release 1 PS1 (11.1.1.5.6), then use the latest 9.1.x version of this connector.
If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later, or Oracle Identity Manager 11g Release 2 BP06 (11.1.2.0.6) or later, then use the latest 11.1.1.x version of this connector.
If you are using the Microsoft Exchange 9.1.x connector, then you must use the Microsoft Active Directory 9.1.x connector, and if you are using the Microsoft Exchange 11.1.1.x connector, then you must use the Microsoft Active Directory 11.1.1.x connector.
Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.
See Also:
The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about reconciliation configurations
Based on the type of data reconciled from the target system, reconciliation can be divided into the following types:
To populate the Lookup.ADReconliation.GroupLookup lookup definition, the following fields of AD Groups are reconciled:
sAMAccountName
objectGUID
To populate the Lookup.AD.PrimaryGroupList lookup definition, the following fields of AD Primary Groups are reconciled:
sAMAccountName
primaryGroupToken
To populate the Lookup.ADReconciliation.Organization lookup definition, the following field of AD Organizations is reconciled:
distinguishedName
The reconciliation module extracts the following elements from the target system to construct AD Group reconciliation event records:
sAMAccountName
objectGUID
Organization Name
instanceType
cn
Fields that are mapped for reconciliation depend on the type of reconciliation that you configure:
Reconciled Resource Object Fields
If you configure the connector for target resource reconciliation, then the following fields are reconciled:
Note:
You can map other fields of the target system for reconciliation. Instructions are provided later in this guide.
sAMAccountName
Note:
The sAMAccountName field must be reconciled from the target system during user reconciliation.
objectGUID
name
memberOf
sn
cn
Initials
Reconciled Xellerate User Fields
If you configure the connector for trusted source reconciliation, then the following fields are reconciled:
User Login (mandatory field)
First Name (mandatory field)
Last Name (mandatory field)
Xellerate Type (mandatory field)
Organization Name (mandatory field)
Middle Name
Role
Password
Start Date
End Date
Status
Provisioning involves creating or modifying a user's access rights on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operations.
See Also:
The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about provisioning
For this target system, provisioning is divided into the following types:
The following fields are provisioned:
USN Create
USN Change
objectGUID
Organization Name
This is the value of the Name field in the Create Organization form of the Oracle Identity Manager Administrative and User Console.
The following fields are provisioned:
Group Name
Organization Name
objectGUID
Group Type
Group Display Name
The following fields are provisioned:
User ID
Note:
Microsoft Active Directory restricts the number of characters in the user ID field to 20 characters. Therefore, while provisioning a user through Oracle Identity Manager, you must not enter more than 20 characters in this field.
Password
objectGUID
Organization Name
First Name
Last Name
Middle Name
User Must Change Password at Next Logon
Password Never Expires
Account Expiration Date
Full Name
Group Name
The following table lists special characters that are supported in process form fields:
Note:
The following special characters are not supported in process form fields:
Single quotation mark (')
Double quotation mark (")
| Name of the Character | Character |
|---|---|
|
ampersand |
& |
|
asterisk |
* |
|
at sign |
@ |
|
caret |
^ |
|
comma |
, |
|
dollar sign |
$ |
|
equal sign |
= |
|
exclamation point |
! |
|
hyphen |
- |
|
left brace |
{ |
|
left bracket |
[ |
|
left parenthesis |
( |
|
number sign |
# |
|
percent sign |
% |
|
period |
. |
|
plus sign |
+ |
|
question mark |
? |
|
right brace |
} |
|
right bracket |
] |
|
right parenthesis |
) |
|
slash |
/ |
|
underscore |
_ |
The following table lists the functions that are available with this connector.
| Function | Type | Description |
|---|---|---|
|
Create User |
Provisioning |
Creates a user |
|
Move User |
Provisioning |
Moves a user from one organization to another |
|
Delete User |
Provisioning |
Deletes a user |
|
Enable User |
Provisioning |
Enables a disabled user |
|
Disable User |
Provisioning |
Disables a user |
|
Get Organization USN |
Provisioning |
Retrieves the USN of an organization |
|
Create Organization |
Provisioning |
Creates an organization |
|
Get Organization USN Changed |
Provisioning |
Retrieves the USN of an organization after an update |
|
Delete Organization |
Provisioning |
Deletes an organization |
|
Get User objectGUID |
Provisioning |
Retrieves the objectGUID of a user |
|
User Must Change Password at Next Logon Updated |
Provisioning |
Updates a user's profile according to a change in the User Must Change Password at Next Logon attribute |
|
Set Account Expiration Date |
Provisioning |
Updates a user's profile according to a change in the Account Expiration Date attribute |
|
Password Never Expires Updated |
Provisioning |
Updates a user's profile according to a change in the Password Never Expires attribute |
|
Update User ID |
Provisioning |
Updates a user's profile according to a change in the User ID attribute |
|
Add User to Group |
Provisioning |
Adds a user to a group |
|
Remove User from Group |
Provisioning |
Removes a user from a group |
|
Create AD Group |
Provisioning |
Creates an AD group |
|
Delete AD Group |
Provisioning |
Deletes an AD group |
|
Update Group Name |
Provisioning |
Updates an AD group name |
|
Get Group objectGUID |
Provisioning |
Retrieves the objectGUID of a group |
|
Lock User |
Provisioning |
Locks the user |
|
Unlock User |
Provisioning |
Unlocks the user |
|
Update First Name |
Provisioning |
Updates a user's profile according to a change in the First Name attribute |
|
Update Last Name |
Provisioning |
Updates a user's profile according to a change in the Last Name attribute |
|
Move Group |
Provisioning |
Moves a group from one organization to another |
|
Trusted Reconciliation for User |
Reconciliation |
Creates OIM User accounts corresponding to reconciled Microsoft Active Directory accounts |
|
Create User |
Reconciliation |
Reconciles Microsoft Active Directory accounts |
|
Create Organization |
Reconciliation |
Creates organizations along with users in Oracle Identity Manager corresponding to reconciled Microsoft Active Directory accounts (and their root organizations) |
|
Create Group |
Reconciliation |
Creates groups along with users in Oracle Identity Manager corresponding to reconciled Microsoft Active Directory accounts (and their parent groups) |
The connector supports the following languages:
Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
Oracle Identity Manager Globalization Guide for information about supported special characters
The files and directories on the installation media are listed in the following table:
| File in the Installation Media Directory | Description |
|---|---|
lib/xliActiveDirectory.jar |
This JAR file contains the class files required for provisioning. |
lib/xliADRecon.jar |
This JAR file contains the class files required for reconciliation. |
|
Files in the |
Each of these resource bundle files contains language-specific information that is used by the connector. Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. |
scripts/install.bat |
This batch file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a Microsoft Windows operating system. |
scripts/install.sh |
This file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a UNIX-based system. |
test/config/config.properties |
This file is used to set input test data for the connector test suite. |
test/lib/xliADTest.jar |
This JAR file contains the class files required for the connector test suite. |
test/scripts/runADTest.bat |
This file is used to run a test using the connector test suite. |
xml/xliADResourceObject.xml |
This XML file contains definitions for the connector components related to reconciliation and provisioning. These components include:
|
xml/xliADXLResourceObject.xml |
This XML file contains the configuration for the objects, such as Xellerate User (OIM User) and Xellerate Organization, which are specific to trusted sources. You must import this file only if you plan to use the connector in trusted source reconciliation mode. |
Note:
The files in the test directory are used only to run tests on the connector.
The "Copying the Connector Files and External Code Files" section provides instructions to copy these files into the required directories.
You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the following JAR file:
OIM_HOME/xellerate/JavaTasks/xliActiveDirectory.jar
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliActiveDirectory.jar file.
In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.