Oracle Identity Manager is an advanced user account provisioning system for automatically granting and revoking access to enterprise applications and managed systems. The modular architecture of Oracle Identity Manager can handle most IT requirements, without requiring changes to existing infrastructure, policies, or procedures.
This chapter contains the following sections:
Components for Connecting Oracle Identity Manager to Microsoft Active Directory
Files and Directories That Comprise the Password Synchronization Module
Determining the Release Number of the Password Synchronization Module
Oracle Identity Manager provides the following components to link with Microsoft Active Directory:
Connector for Microsoft Active Directory
Password synchronization module for Microsoft Active Directory
Depending on your specific needs, you can deploy one or both of these components to connect Oracle Identity Manager and Microsoft Active Directory. Deployed together (along with LDAP over SSL), the connector and the password synchronization module provide full, bidirectional synchronization of all user attributes, including passwords.
The connector for Microsoft Active Directory can update user account attributes bidirectionally. However, password changes are updated only when the password is changed through Oracle Identity Manager, and not when it is changed through Microsoft Active Directory.
In contrast, the password synchronization module for Microsoft Active Directory updates Oracle Identity Manager with passwords changed in Microsoft Active Directory.
The following table compares the functionality offered by both tools.
| Functionality | Module | Connector |
|---|---|---|
| Updates Microsoft Active Directory with user account attributes (except for passwords) changed in Oracle Identity Manager | No | Yes |
| Updates Oracle Identity Manager with user account attributes (except for passwords) changed in Microsoft Active Directory | No | Yes |
| Updates Microsoft Active Directory with passwords changed in Oracle Identity Manager (requires LDAP over SSL) | No | Yes |
| Updates Oracle Identity Manager with passwords changed in Microsoft Active Directory | Yes | No |
If the password synchronization module is installed, then the following use cases are supported:
Password changes made on the target system are propagated to the OIM User form if the target system is configured as a trusted source.
Password changes made on the target system are propagated to the process form if the target system is configured as a target resource.
Password changes made on the OIM User form are propagated to the target system.
Password changes made through the Forgot Password option are propagated to the OIM User form and to the target system.
Note:
If the password synchronization module is installed, then password changes made on the process form are not propagated to the target system.The password synchronization module intercepts a password change event in Microsoft Active Directory and sends the new password to Oracle Identity Manager. Now, if the password change in Oracle Identity Manager fails because, for example, the password does not meet the password policy, then the password change is not allowed in Microsoft Active Directory. However, if the password change in Oracle Identity Manager succeeds, then the password change is allowed in Microsoft Active Directory.
The USR_UDF_PWDCHANGEDINDICATION field is used to track password changes and prevent loop-back conditions in which a password change from Oracle Identity Manager to the target system is propagated back to Oracle Identity Manager, and vice versa.
See Also:
Oracle Identity Manager Connector Guide for Microsoft Active Directory for information about creating this fieldWhen you change the password on Oracle Identity Manager:
Oracle Identity Manager sets the value of the USR_UDF_PWDCHANGEDINDICATION field to 1.
The new password is propagated to the target system.
The password synchronization module detects the password change.
The password synchronization module checks the value of the USR_UDF_PWDCHANGEDINDICATION field, sets the field to 0, and then performs no further action.
Note:
When you perform a Create User provisioning operation, the value of the field is NULL. The password synchronization mod treats the NULL value the same as it would treat a value of 1.When you change the password on the target system:
The password synchronization module sets the value of the USR_UDF_PWDCHANGEDINDICATION field to 1.
The new password is set in the USR table.
Oracle Identity Manager detects the password change.
Oracle Identity Manager checks the value of the USR_UDF_PWDCHANGEDINDICATION field, sets the field to 0, and then performs no further action.
The installation files for the module are in the following directory on the installation media:
Directory Servers/Microsoft Active Directory/Microsoft Active Directory Password Sync
These files and directories are listed in the following table.
| File in the Installation Media Directory | Description |
|---|---|
setup_ad.exe |
This file is used to install the password synchronization module. |
set_ad.jar |
This JAR file is used during the installation process. |
Files in the com/oracle/xl/installer directory |
Each of these resource bundle files contains language-specific information that is used by the connector.
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. |
Files in the jpclient/lib directory |
These are password synchronization library files. |
Files in the xlhome/ext directory |
These are third-party JAR files. |
Files in the xlhome/install directory |
These JAR files are required by the password synchronization module installer. |
To determine the release number of an existing password synchronization module:
Extract the contents of the xliADSync.jar file. This file is copied into the ADSYNC_HOME/lib directory after you perform the installation process described in Chapter 2.
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliADSync.jar file.
In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.