What's New in Oracle Identity Manager Connector for Oracle Internet Directory?

This chapter provides an overview of the updates made to the software and documentation for release 9.0.4.14 of the Oracle Internet Directory connector.

Note:

Release 9.0.4.14 of the connector comes after release 9.0.4.12. Release number 9.0.4.13 has not been used.

The updates discussed in this chapter are divided into the following categories:

Software Updates

The following sections discuss software updates:

Software Updates in Release 9.0.4.14

The following are the software updates in release 9.0.4.14:

Resolved Issues

The following issues are resolved in release 9.0.4.14:

Bug Number Issue Resolution

10317533

Oracle Identity Manager, OID connector remove blanks in root DN.

The following issue was observed when the Root DN IT resource parameter contained a DN value with a space character:During reconciliation, the connector searched for users within a DN that was determined after removing the space character in the DN value.For example, if the value of the Root DN IT resource parameter is dc=my example, dc=com, then during reconciliation, the connector searches for users within the following DN:dc=myexample, dc=com

This issue has been resolved. The connector does not remove space characters in DN values, which ensures that users are reconciled from the correct DN without causing reconciliation to fail.

10177001

User reconciliation does not handle escaped comma when parsing data for container DN.

This issue has been resolved. User reconciliation now handle escaped comma when parsing data for container DN.

10176147

OID connector throws the error "UNPARSEABLE DATE" during target reconciliation.

During target resource reconciliation, if the connector found a non-date user attribute containing text that was 15 characters long and ended with the letter "z", then no reconciliation event was created. In addition, the following error message was written to the trace file:Unparseable errorThis error occurred because the connector tried parsing text from a string (retrieved from a non-date attribute) to produce a date.

This issue has been resolved. The connector parses text only from the date attributes, Start Date and End Date.

10140935

Last delete reconciliation time stamps are incorrectly set in IT resource.

The timestamp of Oracle Identity Manager server was set depending on the difference in timezone of OIMserver and OID resource, the deleted records are not reconciled.

This issue has been resolved. The last modifytimestamp of the last deleted user record of a successful delete reconciliation is saved as the LastDeleteReconTimeStamp.

9878591

Reconciliation of multivalued attributes fail in OID.

If one multivalued attribute is added, it works properly.If two or more multivalued attributes are added, it doesn't work properly.

This issue has been resolved. Now, if two or more multivalued are added, reconciliation works properly.

9705232

Trusted user reconciliation for OID task completes, but throws an error when the user data is null.

This issue has been resolved. Now, when configuring trusted user reconciliation for OID, the task completes without throwing an error that user data is null.

9664304

OID 9.0.4.11 mapped user ID with CN during reconciliation.

The issue has been resolved. Now, if the value is changed in the lookup tables or in the Resource Object for OID, the User ID is not always mapped as CN.

9662334

Adding or removing user to or from group is slow for large groups.

This issue has been resolved. Now, adding or removing a user to or from OID group is not slow for a large group.

9443949

OID connector checks for wrong values in Oracle user enabled.

This issue has been resolved. Now, the values used by OID is ENABLED for user enabled and DISABLED for user disabled.

9438404

When creating a user in Oracle Identity Manager, OID adapter returns corrupted GUID.

The issue has been resolved. Now, modifications to the user are not failing. OID adapter returns valid orclguid value.

9273791

Configuring backup servers running on a different port than the primary port is not supported.

The solution is to provide the ITResource(IPAddress):portno instead of ITResource in the Lookup.OID.Backup server:

Code key: serverAddress

Decode: secondaryServerAddress:PortNo

For example:

Code key: 172.20.55.64

Decode: 172.20.55.65:389

9250007

Last reconciliation timestamps are set incorrectly.

The timestamp of Oracle Identity Manager server is set resulting in loss of data of duplicate reconciliation of data depending on the difference in timezone of OIMserver and OID resource.

The modifytimestamp of the last user record of a successful reconciliation from OID target system is saved as the LastReconTimeStamp.

9481707

Unparseable date error occurs during user reconciliation.

This issue has been resolved. User reconciliation correctly parses the modifytimestamp value of the target system.


Software Updates in Release 9.0.4.12

The following are the software updates in release 9.0.4.12:

Support for New Oracle Identity Manager Release

From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.

See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.

Support for Request-Based Provisioning

From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).

See Section 3.5.1.2, "Request-Based Provisioning" for more information.

Software Updates in Release 9.0.4.11

The following are resolved issues in release 9.0.4.11:

Bug Number Issue Resolution

8627514

During the Create User provisioning operation, Oracle Identity Manager stopped responding if SSL was configured between the target system and Oracle Identity Manager.

This issue has been resolved. Oracle Identity Manager does not stop responding when SSL is configured.

8840081

During the Create User provisioning operation, if you entered values for the Start Date and End Date process form fields, then the Create User task was rejected.

This issue has been resolved. The Create User provisioning operation is successful even when you enter values for the STart Date and End Date process form fields.

9146791

The group or role reconciliation runs were successful when performed for the first time. From the second time onward, these reconciliation runs failed.

This issue has been resolved. You can successfully perform the group or role reconciliation runs any number of times.

9238210

In the AttrName.Recon.Map.OID lookup definition if two or more Code Key values had the same Decode value, then the correct values were not retrieved.

This issue has been resolved. During reconciliation, correct values from the target system are retrieved even when two or more Code Key values had the same Decode value in the AttrName.Recon.Map.OID lookup definition

9246312

During trusted source reconciliation, the value of the manager attribute was not reconciled.

This issue has been resolved. The value in the manager attribute is now reconciled during trusted source reconciliation.


Software Updates in Release 9.0.4.7

The following are software updates in release 9.0.4.7:

Provisioning and Reconciliation Based on the orclGUID Field

From this release onward, the connector performs reconciliation and provisioning operations based on the orclGUID field. The orclGUID field is a unique, read-only field that is created after a Create User provisioning operation.

Support for Reconciliation of Groups and Roles

From this release onward, the connector supports reconciliation of groups and roles. The OID Group Recon Task and OID Role Recon Task scheduled tasks are used to automate reconciliation of groups and roles, respectively.

See the following sections for more information:

Support for Separate Scheduled Tasks

In the earlier release, you used a:

From this release onward, the connector has independent scheduled tasks created for all types of user, groups, roles, and lookup reconciliation.

See the following sections for more information:

Support for High-Availability

The high-availability feature for IT Resource is now supported by the connector. This feature enables the connector to perform operations using the backup servers if the primary LDAP server fails or becomes unavailable.

See the "Configuring High Availability of the Target System" section for more information.

Support for Adding New Attributes and Multivalued Attributes for Provisioning and Reconciliation of Groups or Roles

By default, the attributes listed in the "Group Provisioning" section are mapped for provisioning of groups between Oracle Identity Manager and the target system. Similarly, by default, the attributes listed in the "Role Provisioning" section are mapped for provisioning of roles between Oracle Identity Manager and the target system. From this release onward, you can map additional attributes for provisioning groups or roles.

See the "Adding New Attributes for Provisioning Groups or Roles" section for more information.

By default, no multivalued attributes are mapped for provisioning between Oracle Identity Manager and the target system for groups and roles. From this release onward, the connector enables you to add new multivalued attributes for reconciliation and provisioning of groups or roles.

See the "Adding New Multivalued Attributes for Provisioning" section for more information.

By default, the attributes listed in the "Group Reconciliation" and "Role Reconciliation" sections are mapped for group or role reconciliation between Oracle Identity Manager and the target system. From this release onward, you can add new attributes for group or role reconciliation.

See the "Adding New Attributes for Reconciliation of Groups or Roles" section for more information.

By default, no multivalued attributes are mapped for reconciliation between Oracle Identity Manager and the target system for groups and roles. If required, you can add new multivalued attributes for reconciliation of groups or roles.

See the "Adding New Multivalued Attributes for Target Resource Reconciliation" section for more information.

Introduction of a Lookup Definition for Storing Constants

The Lookup.OID.Constants lookup definition stores constants defined in the Java classes that constitute the connector.

Caution:

You must not change any entry in the Lookup.OID.Constants lookup definition. If you change any entry, then the connector will not function correctly

This information has been mentioned in the "Setting Up Lookup Definitions in Oracle Identity Manager" section.

Implementation of the Ignore-Event Functionality

For every operation that is performed, the connector compares the user attributes in the target system with the corresponding attributes in Oracle Identity Manager. If the values of the user attributes in the target system do not match with the corresponding attributes in Oracle Identity Manager, then an event record is created. Otherwise, no event record is created.

Addition of the SearchBase and SearchFilter Attributes in All the User Reconciliation, and Groups and Roles Reconciliation Scheduled Tasks

From this release onwards, you can specify a subset of the records that must be reconciled from the target system. The SearchBase and SearchFilter attributes have been added to all scheduled tasks for reconciliation of users, groups, and roles.

See the following sections for more information:

Resolved Issues

The following table lists issues resolved in release 9.0.4.7:

Bug Number Issue Resolution

6694619

The connector did not provide an option to update the Common Name and User ID process form fields.

This issue has been resolved. In order to enable modifications to the Common Name and User ID process form fields, the Common Name Updated and User ID Updated operations have been added to the connector.

7581912

The Group Name Updated, Role Name, Updated, or Change OU Name provisioning operations were successful when performed for the first time. From the second time onward, these provisioning operations failed.

This issue has been resolved. You can successfully perform the Group Name Updated, Role Name, Updated, or Change OU Name provisioning operations any number of times.

7605087

During trusted source reconciliation, if there was a mismatch in the case (uppercase/lowercase) between a user's OU in Oracle Identity Manager and the user's OU on the target system, then the OU field was not populated. This was because the target system was case-sensitive and Oracle Identity Manager was not case-sensitive toward OU names. OU names were converted to lowercase when they were brought to Oracle Identity Manager through reconciliation.

As a workaround to this problem, it was recommended that you set lowercase names for OUs that you created.

This issue has been resolved. The OU field is now being populated.

7615302

Provisioning and reconciliation of manager data for a user was not supported.

This issue has been resolved. You can now provision and reconcile manager data for a user. The Manager field has been added to the list of fields that are available for provisioning and reconciliation.

8258219

An error was encountered when you updated a process form field whose name contained the "Date" string.

For example, if the name of the process form field was Date of Joining, then an error was encountered when you updated the value of this field.

This issue has been resolved. No error is encountered when you update a process form field whose name contained the "Date" string.

8346748

By default, during a Create User provisioning operation, the user ID that you specify was mapped to the cn field of target system.

If you had customized the mapping so that the user ID (that you specify in Oracle Identity Manager) was assigned to the uid field of the target system, then after the Create User provisioning operation, that value of the uid field was null.

This issue has been resolved. When you create a user account on the target system through Oracle Identity Manager, the value of the uid field of the target system is the user ID that you specify in Oracle Identity Manager.

8597107

The Organization DN field on the process form was neither mapped to the Organization Unit attribute, nor Organization attribute of the target system.

This issue has been resolved. The Organization DN field on the process form has been renamed to Container DN. The Container DN field holds the value of the container in which the user exists. The Container DN value is a part of the DN value.

For example, if the DN value of a target system user is cn=User,ou=People, o=xyz, then the Container DN value is ou=People.

8620552

Target system user fields were not updated when they were updated along with the Organization Name field.

This issue has been resolved. All fields that are updated along with the Organization Name field are now being updated successfully.

8810993

A user reconciliation run failed if the lookup definition contained the same decode value for different code key values.

This issue has been resolved. You can now successfully run user reconciliation if the look up definition contained the same decode value for different code key values.


Software Updates in Release 9.0.4.6

The following are the software updates in release 9.0.4.6:

Support for Reconciliation and Provisioning of Multivalued Attributes

From this release onward, the connector supports the reconciliation and provisioning of multivalued attributes. See Section 4.2, "Adding New Multivalued Attributes for Target Resource Reconciliation" for the procedure to add new multivalued attributes for reconciliation and provisioning.

Support for New Target System

From this release onward, the connector adds support for Oracle Internet Directory 11gR1 as the target system.

This target system is mentioned in the "Verifying the Deployment Requirements" section.

Software Updates in Release 9.0.4.5

The following are resolved issues in release 9.0.4.5:

Bug Number Issue Resolution

7564492, 6334595, 6317860

Incremental reconciliation was not supported.

If you deleted one user from one organization on the target system and then performed trusted source delete reconciliation, then all users were deleted from all organizations in Oracle Identity Manager.

During reconciliation, user data was fetched from the target system, regardless of whether or not it had been modified.

Incremental reconciliation is now supported.

6312504

IT resource parameters for the names of the lookup definitions for reconciliation and provisioning were set to NULL when you restarted Oracle Identity Manager.

The names of the lookup definitions are set as the default values of the IT resource parameters. These parameters are not set to NULL when you restart Oracle Identity Manager.

6168631

In earlier releases, you had to use the orcladmin account on the target system for reconciliation and provisioning operations.

This issue has been resolved. You can now create a user on the target system, assign the minimum required permissions to the user, and then use it for connector operations.

6312344

The default value of the Organization DN field on the Administrative and User Console was cn=user.

The Organization DN field has been changed to a lookup field, and the default value has been removed. You can now select a value in this lookup field.

6804852

The Manager ID field was not available for reconciliation and provisioning.

The Manager ID field has been added to the list of fields that are available for reconciliation and provisioning.

7233799

At the end of a successful provisioning operation, the "Mapping Not Found" message was recorded in the log file. This message has now been removed.

This issue has been resolved. The "Mapping Not Found" message is no longer recorded in the log file at the end of a successful provisioning operation.

The following are some of the entries in the AttrName.Prov.Map.OID lookup definition. You must ensure that these entries are not changed.

ldapUserID: cn

ldapFirstName: givenName

ldapLastName: sn

ldapPassword: userPassword

6987536

The Start Date and End Date fields of the target system were not used by the connector.

This issue has been resolved. The Start Date and End Date fields have been added for reconciliation and provisioning operations.

7022721

The process form had two fields for two object classes. This imposed a limitation on the number of objectclasses to which a user could be assigned during a Create User provisioning operation.

This issue has been resolved. The Objectclassess field replaces the two fields on the process form. You can enter a list of objectclasses in this field during a provisioning operation. Use the vertical bar (|) as the delimiter character in the list of objectclasses.

7047363

You could not add to the default attribute mappings for reconciliation.

This issue has been resolved. You can now use the AttrName.Recon.Map.OID lookup definition to add attributes for reconciliation. See "Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation" in the connector guide for more information.

6490731

The length of the Password field was 14 bytes.

The length of the Password field has been increased to 30 bytes.

7434067

A reconciliation error was encountered if you applied a custom reconciliation query that filtered user records by both role assignment and group membership. For example, application of the following reconciliation query would result in an error:

role=role1&group=group1

This issue has been resolved. Any combination of the following attributes can be used in the query:

  • givenname

  • sn

  • givenname&sn

  • group

  • role

  • givenname&group

  • givenname&role

  • group&role

Limitation: The custom reconciliation query must not include field values that contain any of the following characters:

  • & (ampersand)

  • | (vertical bar)

  • = (equal sign)

In addition, the field values must not contain the word "group" or "role."

The following are examples of query conditions that are invalid:

givenname="mary&brown"

This value is invalid because it contains the ampersand (&).

givenname="johngroup"

This value is invalid because it contains the word group.

7360833

The name of the IT resource type for all LDAP-based connectors was LDAP Server.

This issue has been resolved. The IT resource type for the Oracle Internet Directory connector has been renamed to "OID IT Resource."

7308328

A space after a comma in the DN value would cause a reconciliation error.

This issue has been resolved. DN values that have a space after the comma are now correctly reconciled.

You implement this solution by copying the JAR files as part of the deployment procedure.

7218933

The "INSUFFICIENT_INFORMATION_PROVIDED" message was displayed if any process form field was left empty during a provisioning operation. The field itself was not pointed out by the message.

This issue has been resolved. The name of the field in which a value has not been provided is included in the message displayed on the console.

7120339

The INSUFFICIENT_INFORMATION_PROVIDED error message was not mapped in the resource bundle.

This issue has been resolved. The error message is now mapped in the resource bundle.

7165810

When you changed the name of an organizational unit through a provisioning operation, the existing OU was deleted and then re-created with the new name that you specified.

This issue has been resolved. The name of the OU is actually changed when you perform the Change OU Name provisioning operation. The OU is not deleted and re-created with the new name.

You implement this solution by copying the JAR files as part of the deployment procedure.

6275476

On the target system, DNs of groups are not case-sensitive. In Oracle Identity Manager, group DNs are case-sensitive. This caused problems during reconciliation of group membership details.

  • This issue has been resolved. Group DNs are converted to lowercase before they are reconciled into the group lookup definition in Oracle Identity Manager. In other words, Oracle Identity Manager does not perform a case-sensitive check on group names.

  • You implement this solution by copying the JAR files as part of the deployment procedure.

7423099

Special characters were not supported in the First Name and Last Name fields on the process form.

This issue has been resolved. See "Provisioning Module" in the connector guide for information about the special characters that are supported in process form fields.

You implement this solution by copying the JAR files as part of the deployment procedure.

6489877

The connector supported neither Mode 1 nor Mode 2 secure connections to Oracle Internet Directory.

The connector supports Mode 1 secure connections to Oracle Internet Directory.

See "Configuring SSL" in the connector guide for detailed information.

7564599

During a Create Group provisioning operation, it was mandatory to specify a parent OU for the group.

This issue has been resolved. If a parent OU is not specified, then the group is created under the DN context.

7601582

The User Deletion Successful message was displayed when the Delete User provisioning operation was performed on a user who had already been deleted on the target system.

The message has been corrected.

7301659

The orclguid field of the target system stores identifier for each LDAP entry in Oracle Internet Directory. The connector did not fetch and store the orclguid of target system users.

This issue has been resolved. The connector now retrieves and stores the orclguid field of target system users.


Software Updates in Release 9.0.4.4

The following are resolved issues in release 9.0.4.4:

Bug Number Issue Resolution

7257647

The connector did not support batched or paged reconciliation. There were performance issues related to this limitation.

The connector now supports paged reconciliation. You can implement this feature if the target system is Oracle Internet Directory 10.1.4.0.1 or later. See "Paged Reconciliation" for more information.

7306055

There was scope for improvement in the performance of the following provisioning operations:

  • Adding or removing a user from a group

  • Granting or removing a role from a user

The performance of provisioning operations that involve group or role membership changes has been enhanced.


Software Updates in Release 9.0.4.3

The following is a software update in release 9.0.4.3:

Using the Connector Installer

From Oracle Identity Manager release 9.1.0 onward, the Administrative and User Console provides the Connector Installer feature. This feature can be used to automate the connector installation procedure.

See "Installing the Connector on Oracle Identity Manager Release 9.1.0.x or Release 11.1.1" for details.

Software Updates in Release 9.0.4.2

The following are resolved issues in release 9.0.4.2:

Bug Number Issue Resolution

7003824

If you added an object class and its attributes, then subsequent Create User provisioning operations failed. An error message similar to the following one was displayed as the outcome of the provisioning operations:

"Unable to add attributes of the object[LDAP: error code 65 - associatedDomain attribute not found. Mandatory Attribute missing.]"

This issue has been resolved. You can now add an object class and then perform Create User provisioning operations. See Section 4.9, "Adding New Object Classes for Provisioning and Reconciliation" for more information.

Note: A trusted source reconciliation run fails if it involves user-defined fields (UDFs). This issue is tracked through Bug 7047363.


Software Updates in Release 9.0.4.1_6673431

The following are resolved issues in release 9.0.4.1_6673431:

Bug Number Issue Resolution

6673431

Delete reconciliation was run after trusted source reconciliation. This sequence resulted in deletion of some OIM Users who were not actually deleted on the target system.

This issue has been resolved. During a trusted source reconciliation run, the API that implements Delete reconciliation is called before reconciliation of existing target system records.


Software Updates in Release 9.0.4.1

The following is a software update in release 9.0.4.1:

Changes in the Directory Structure of the Connector Files on the Installation Media

The xliOID.jar file has been split into two files, OIDProv.jar and OIDRecon.jar. Corresponding changes have been made in the following sections:

Documentation-Specific Updates

The following sections discuss documentation-specific updates:

Documentation-Specific Updates in Release 9.0.4.14

The following are documentation-specific updates in release 9.0.4.14:

Documentation-Specific Updates in Release 9.0.4.12

The following are documentation-specific updates in release 9.0.4.12:

Documentation-Specific Updates in Release 9.0.4.11

Major changes have been made to the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usability of the information provided by the guide.

Documentation-Specific Updates in Releases 9.0.4.7

The following documentation-specific updates have been made in release 9.0.4.7:

Documentation-Specific Updates in Release 9.0.4.6

The following documentation-specific updates have been made in release 9.0.4.6:

Documentation-Specific Updates in Releases 9.0.4.1 Through 9.0.4.5

The following documentation-specific update has been made in releases 9.0.4.1 through 9.0.4.5: