This chapter provides an overview of the updates made to the software and documentation for release 9.0.4.15 of the Sun Java System Directory connector.
The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss software updates:
The following are software updates in release 9.0.4.1_6742889:
Support for New Attributes and Object Classes for Reconciliation and Provisioning
Support for Configuring Both Target Resource and Trusted Source Reconciliation
Changes in the Directory Structure of the Connector Files on the Installation Media
The following are issues resolved in release 9.0.4.1_6742889:
| Bug Number | Issue | Resolution |
|---|---|---|
|
5353476 |
A limited subset of target system attributes was available for reconciliation. |
You can now expand the subset of target system attributes for reconciliation. |
|
6332970 |
Provisioning was limited to the default object class ( |
You can specify the mandatory and optional attributes of a custom object class that you want to use for provisioning operations. |
|
6333007 |
A limited subset of target system attributes was available for trusted source reconciliation. |
The subset of attributes has been expanded. |
|
6521484 |
There was scope for improvement in the reconciliation of deleted user data. |
Reconciliation of deleted user data has been optimized. To realize the full benefit of this change, you must upgrade the Oracle Identity Manager installation to Oracle Identity Manager release 9.0.3.0.8a or later (or the equivalent in the release 9.0.1, 9.0.3.1, and 9.1 tracks). Contact Oracle Global Support for further information on the equivalent Oracle Identity Manager patch. |
You can add new attributes and object classes for reconciliation and provisioning. See the following sections for more information:
You can now use a native query for implementing partial reconciliation. In the earlier release, you could use only queries specified in a non-native format to implement partial reconciliation. To implement this feature, the IsNativeQuery attribute has been added to the scheduled task.
See "Limited Reconciliation" for more information.
You can now configure the connector for both target resource and trusted source reconciliation. The reconciliation scheduled task has been modified to implement this feature. To implement this feature, the DualMode attribute has been added to the scheduled task.
Note:
The Dual Mode Reconciliation feature has been desupported from release 9.0.4.3 onward.
The xliIPlanet.jar file has been split into two files, SJSDSProv.jar and SJSDSRecon.jar. Corresponding changes have been made in the following sections:
The following are issues resolved in release 9.0.4.1_6858468:
| Bug Number | Issue | Resolution |
|---|---|---|
|
6858468 |
If you performed an Update User provisioning operation on a user who was created directly under the root context, then an error was encountered. |
This issue has been resolved. You can now perform Update User provisioning operations on users who are created directly under the root context. |
|
6488868 |
For connector operations, you had to use an administrator account on the target system with maximum privileges. |
You can now create a target system account with specific privileges for connector operations. See "Creating a Target System User Account for Connector Operations" for more information. |
The following are software updates in release 9.0.4.2:
From Oracle Identity Manager release 9.1.0 onward, the Administrative and User Console provides the Connector Installer feature. This feature can be used to automate the connector installation procedure.
See "Installing the Connector on Oracle Identity Manager Release 9.1.0.x or Release 11.1.1" for more information.
The following are issues resolved in release 9.0.4.2:
| Bug Number | Issue | Resolution |
|---|---|---|
|
7262351 |
User details and group details are stored in separate object classes on the target system. For each target system user, a new connection to the target system was opened for fetching the user's group membership details during a reconciliation run. Performance was adversely affected if a large number of connections were opened. |
This issue has been resolved. A single connection is used to fetch group membership details. This connection is kept open until the end of the reconciliation run. |
|
7282425 |
A reconciliation search filter and sort query are run on the target system records during reconciliation. If the target system contained a large number of users, then the reconciliation process was very slow. |
In earlier releases, target system records were sorted on the basis of the |
The following are software updates in release 9.0.4.3:
Sun ONE Directory Server 6.3 has been added to the list of certified target system versions. See "Certified Components" for information about the full list of certified target system versions.
In earlier releases, the connector supported dual mode reconciliation in which you ran both trusted source and target resource reconciliation on the target system. From this release onward, the connector does not support dual mode reconciliation.
From this release onward, the following procedures are supported:
Adding New Multivalued Attributes for Target Resource Reconciliation
Enabling Update of New Multivalued Attributes for Provisioning
In the "Reconciled Resource Object Fields" section, the following fields have been added to the list of fields covered by target resource reconciliation:
nsuniqueid
Common Name
Status
In the "Reconciled Xellerate User (OIM User) Fields" section, the Status field has been added to the list of fields covered by trusted source reconciliation.
In the "Provisioning Module" section, the Common Name field has been added to the list of fields covered by provisioning.
The following are issues resolved in release 9.0.4.3:
| Bug Number | Issue | Resolution |
|---|---|---|
|
7612234 |
The following is the format of the time-stamp filter applied to each target system record during reconciliation: timestamp_record_updated >= last_reconciliation_run_timestamp When this filter was applied, a record that was added or modified at the instant the reconciliation run ended was also reconciled. However, the application of the time-stamp filter caused the same record to be reconciled during the next reconciliation run. |
This issue has been resolved. The time-stamp filter cannot be changed to the following: timestamp_record_updated > last_reconciliation_run_timestamp As a workaround, one second is added to the time stamp recorded in the IT resource before the filter is applied during a reconciliation run. In other words, the filter is changed to the following: timestamp_record_updated + 1 second >= last_reconciliation_run_timestamp Application of this filter ensures that a record reconciled at the end of a reconciliation run is not reconciled during the next reconciliation run. |
|
7557852 |
The following issue was observed if you created and then disabled a user on the target system before the user was reconciled into Oracle Identity Manager: After the reconciliation run, the OIM User was created with the Active status. |
This issue has been resolved. If the user is Disabled on the target system, then the user is created with the Disabled status on Oracle Identity Manager. Note: The minimum release of Oracle Identity Manager that supports reconciliation of status data is release 9.0.3.2. This requirement is mentioned later in the guide. |
|
7516594 |
Suppose you had two organizations with the same name and at different locations on the target system, for example: ou=PeopleOrg,dc=support ou=PeopleOrg,ou=Engineering,dc=support After lookup field reconciliation, the Code Key column was populated with the DN value and the Decode was populated with the organization name. Because provisioning was based on the Decode value, the user was sometimes provisioned to the wrong organization. |
This issue has been resolved. Provisioning operations are performed in the specified organization even if there is more than one organization with the same name. |
|
7478975 and 7676228 |
During reconciliation of deleted users, records of users who had been newly created or modified were also fetched into Oracle Identity Manager. The |
This issue has been resolved. New scheduled tasks have been introduced in this release. See "Configuring Scheduled Tasks" for more information. |
|
7386568 |
During lookup reconciliation, roles names are reconciled in the same case (uppercase and lowercase) in which they are stored in the target system lookup field. When you assign a role to a user on the target system, the role name is converted to lowercase letters in the user record. When you reconcile this user into Oracle Identity Manager, the role name is stored in Oracle Identity Manager in the same case (uppercase and lowercase) in which it is stored on the target system. If the role assigned to a user was stored in a different case in the lookup definition, then the role details were not displayed along with the rest of the user details in Oracle Identity Manager. |
This issue has been resolved. During lookup field reconciliation, names of all roles are converted to lowercase. With this update, roles assigned to users can be matched with the roles in the lookup definition and, therefore, role details can be displayed in Oracle Identity Manager. For information about a limitation related to this resolution, see Bug 8276871 in the "Known Issues" chapter. |
|
7345488 |
Incremental reconciliation did not work if you set the |
The See "User Reconciliation Scheduled Task" for more information. |
|
6937079 |
Only a single time-stamp format was supported. The time stamp is used during reconciliation to identify newly added or modified target system records. |
This issue has been resolved. You can now use the See "Setting Up Lookup Definitions in Oracle Identity Manager" for more information. |
|
6792067 |
The target system allows you to change the user ID (UID) of a user. However, when reconciliation was performed after the user ID of a user was changed on the target system, a new account was created for the user in Oracle Identity Manager. |
This issue has been resolved. The |
|
7676205 |
The Prov Attribute Lookup Code and Attribute Lookup Code IT resource parameters did not have default values. |
This issue has been resolved. The following default values have been assigned to these parameters:
|
|
7721222 |
When you disable a user on the target system:
When you disabled a user on Oracle Identity Manager, only the |
This issue has been resolved. When you disable a user on Oracle Identity Manager, the For information about a limitation related to this resolution, see Bug 8294827 in the "Known Issues" chapter. |
|
7707148 and 7676263 |
Batched reconciliation did not work if you set the The |
This issue has been resolved. If you set the The |
|
7680631 |
During a provisioning operation, the e-mail address that you specified for the user was not propagated to the target system. |
This issue has been resolved. During provisioning operations, the e-mail address is propagated to the target system along with the rest of the user data fields. |
|
7676299 |
Two lookup definitions were mapped to the same group data table on the target system. |
This issue has been resolved. One of the lookup definitions has been deleted. |
|
7676283 |
Default roles and groups were assigned to users during provisioning operations. |
This issue has been resolved. Default roles and groups are not assigned during provisioning operations. |
The following are software updates in release 9.0.4.4:
The high-availability feature for ITResource is now supported by the connector. This feature enables the connector to perform operations using the backup servers if the primary LDAP server fails or is unavailable.
The connector now supports attribute mapping for groups and roles. New attributes can be added for groups and roles, and they can be provisioned and reconciled.
The following are issues resolved in release 9.0.4.4:
| Bug Number | Issue | Resolution |
|---|---|---|
|
8287081 |
The connector did not support attribute mapping for Roles and Groups. |
This issue has been resolved. The connector now supports attribute mapping for groups and roles. New attributes can be added for groups and roles, and they can be provisioned and reconciled. |
|
8287058 |
The Organization Name in the Resource Object form for Groups and Roles field was a text field instead of a lookup field. |
This issue has been resolved. The Organization Name in the Resource Object form for Groups and Roles is now modified to a look up field. |
The following are software updates in release 9.0.4.11:
To meet the requirements of specific use cases, you might need to create multiple copies of the Oracle Identity Manager objects that constitute the connector. The connector can work with multiple instances of these objects.
See Section 4.11, "Configuring the Connector for Multiple Installations of the Target System" for more information.
The logging feature has been enhanced to include the exception stack trace in this release.
The following are issues resolved in release 9.0.4.11:
| Bug Number | Issue | Resolution |
|---|---|---|
|
9060464 |
When organizations were reconciled into Oracle Identity Manager from the target system, the decode values was truncated from the For example: ou=people,l=NA,dc=arrow,dc=com and ou=people,l=asia,dc=arrow,dc=com Here, the organization name is Therefore, correct organization could not be added while creating users. |
This issue has been resolved. The connector now supports the reconciliation of complete DN of the Organization Unit while performing lookup reconciliation. Therefore, you can now add the appropriate organization while creating users. |
|
9030736 |
There was a mismatch of lookup values with the Code Key values and variables while provisioning a user to the Dar (Sun) directory, after the connector installation. |
This issue has been resolved. The connector now supports separate lookup definitions for constants and configuration items. |
|
8678353 |
The connector supported a password field length of 15 characters only. As a result, provisioning failed whenever the length of the password field exceeded 15 characters. |
This issue has been resolved. The connector now supports password field length up to 200 characters. This in turn, enables you to provision the password field with value greater than 15 characters. |
|
8597131 |
The |
This issue has been resolved. The |
|
9243262 |
The connector ignored the value of |
This issue has been resolved. The AttrType parameter in the scheduled task is renamed to |
|
9268648 |
In earlier release, all the active users present in the target system were searched and compared with active OIM Users. The OIM users which were missing were deleted. The delete reconciliation functionality failed when it was run for multiple installations of the iPlanet target system. |
This issue has been resolved. The delete reconciliation functionality is now implemented with retro change log plug-in, which stores all the modified entries under |
The following are the software updates in release 9.0.4.12:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Section 3.6.1.2, "Request-Based Provisioning" for more information.
Sun Java System Directory Server Enterprise Edition 7.0 has been added to the list of certified target system versions. See Section 1.1, "Certified Components" for information about the full list of certified target system versions.
The following are software updates in release 9.0.4.15:
The connector supports the connection pooling feature introduced in Oracle Identity Manager release 9.1.0.2. In earlier releases, a connection with the target system was established at the start of a reconciliation run and closed at the end of the reconciliation run. With the introduction of connection pooling, multiple connections are established by Oracle Identity Manager and held in reserve for use by the connector.
From this release onward, the connector provides support for importing a request dataset XML file into Oracle Identity Manager by using the Deployment Manager on Oracle Identity Manager 11g release 1 (11.1.1.3).
The installation media of this release includes a request dataset file, SJSDSConnectorRequestDatasets.xml, which is available in the xml directory.
See Section 2.3.1.7.1, "Importing Request Datasets Using Deployment Manager" for more information.
The following are issues resolved in release 9.0.4.15:
| Bug Number | Issue | Resolution |
|---|---|---|
|
9299541 |
The connector did not use the time-stamp format specified in the |
This issue has been resolved. The connector now uses the time-stamp format specified in the TARGET_TIMESTAMP_SEARCHFORMAT parameter. |
|
9350018 |
The |
This issue has been resolved. The |
|
9892920 |
Reconciliation of disabled accounts did not work. |
This issue has been resolved. The connector now supports reconciliation of disabled accounts. |
|
9444122 |
The iPlanet Role Recon Task scheduled task did not work in SSL mode. |
This issue has been resolved. The connector now supports iPlanet Role Recon Task in SSL mode. |
|
12989431 |
LDAP user creation failed if there were more than eight characters in the middle name of the user. |
This issue has been resolved. Creating or updating a user does not fail if there are more than eight characters in the middle name of the user. |
|
13006479 |
The logging of operations duing connection pooling was not satisfactory. |
This issue has been resolved. The logging for the connection pooling feature has been enhanced. |
|
12916335 |
The request dataset XML file did not specify the required attributes during request-based provisioning. |
This issue has been resolved. The User ID, Last Name, and Common Name fields are now marked mandatory during request-based provisioning. |
|
12881318 |
During the provisioning of roles and groups, the organization name was populated inappropriately. |
This issue has been resolved. During provisioning, only the role names and the group names are populated. |
|
11799031 |
During a lookup reconciliation operation of a group, an organization, or a role, an error was encountered. |
This issue has been resolved. A lookup reconciliation of a group, an organization, or a role is successful. |
|
10351023 |
The |
This issue has been resolved. The |
The following sections discuss documentation-specific updates:
There are no known issues associated with this release of the connector. Points that were earlier listed in the "Known Issues" chapter have been moved to the "Guidelines to Apply While Using the Connector" section.
Changes have been made in the "Configuring SSL" section.
Instructions to create or modify the ACI for the user account have been added in the following sections:
The following are documentation-specific updates in release 9.0.4.3:
In the "Certified Languages" section, Arabic has been added to the list of supported languages.
In the "Testing and Troubleshooting" chapter, the "Testing Partial Reconciliation" and "Testing Batched Reconciliation" sections have been removed.
In the "Known Issues" chapter, known issues have been added.
The following are documentation-specific updates in release 9.0.4.4:
In the "Configuring the IT Resource" section, IT resource parameters have been added.
In the "Importing the Connector XML File" section, IT resource parameters have been added.
In the "Deploying the Connector" chapter, the "Configuring High Availability of the Target System" section has been added.
In the "Verifying Deployment Requirements" section, changes have been made in the "Target systems" row.
In the "Specifying Values for the Scheduled Task Attributes" section, the "Group and Role Reconciliation Scheduled Task" section has been added.
In the "Compiling Adapters" section, the adapter list has been updated.
In the "Provisioning Organizational Units, Groups, and Roles" section, the lookup definition for provisioning Group and Role in organization unit has been added.
In the "Extending the Functionality of the Connector" chapter, the "Adding New Attributes for Group or Role Reconciliation" section has been added.
In the "Adding New Multivalued Attributes for Target Resource Reconciliation" section, a Note has been added for provisioning multivalued attributes for Group and Role.
In the "Known Issues" chapter, known issues have been removed.
Major changes have been made to the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usability of the information provided by the guide.
The following is a documentation-specific update in release 9.0.4.12:
The following information that was documented as a guideline in the "Guidelines to Apply While Using the Connector" section has been moved to the "Known Issues" chapter:
Some Asian languages use multibyte character sets. Because the character limit for the fields in the target system is specified in bytes, the number of Asian-language characters that you can enter in a particular field is usually less than the number of English-language characters that you can enter in the same field. The following example illustrates this limitation:
Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.
Section 1.3, "Connector Architecture" has been modified.
Section 3.5.1, "Configuring Scheduled Tasks on Oracle Identity Manager Release 9.0.3.x " has been added.
The "Attribute Mappings Between Oracle Identity Manager and Sun Java System Directory" appendix has been removed.
The following are the documentation-specific updates for this release of the connector.
Section 2.3.1.7.2, "Copying Predefined Request Dataset" has been updated with the new dataset XML files.
Table 2-1, "Files and Directories on the Installation Media" has been updated for XML files.
Section 2.2.1.2, "Configuring the IT Resource" has been updated for missing parameters.
In Section 2.3.2, "Configuring SSL," a note on deployment procedure has been removed.
In Section 2.1, "Preinstallation," a note on deployment procedure has been added.
In Section 2.2, "Installation," a note on deployment procedure has been added.
In Section 2.3, "Postinstallation," a note on deployment procedure has been added.
Section 4.7, "Adding New Multivalued Attributes for Provisioning" has been added.
Section 5.2.6, "Logging Errors" has been added to Section 5.2, "Troubleshooting Connector Problems."
The following changes have been made to Section 2.3.1.3.2, "Enabling Logging on Oracle Identity Manager Release 11.1.1," in the procedure for enabling logging in Oracle WebLogic Server:
The "Logger Name" entry has been modified in Step 1.a and Step1.b.
A note has been added after Step 4.