This chapter provides an overview of the updates made to the software and documentation for release 9.1.1.7 of the Microsoft Active Directory User Management connector.
Note:
Release 9.1.1.7 of the connector comes after release 9.1.1.5. Release number 9.1.1.6 has not been used.The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software. This section also points out the sections of this guide that have been changed in response to each software update.
Documentation-Specific Updates
This section describes major changes made to this guide. For example, the relocation of a section from the second chapter to the third chapter is a documentation-specific update. These changes are not related to software updates.
The following sections discuss software updates:
The following are the software updates in release 9.1.1.7:
The connector supports the connection pooling feature introduced in Oracle Identity Manager release 9.1.0.2. In earlier releases, a connection with the target system was established at the start of a reconciliation run and closed at the end of the reconciliation run. With the introduction of connection pooling, multiple connections are established by Oracle Identity Manager and held in reserve for use by the connector.
The following are issues resolved in release 9.1.1.7:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7126712 | After revoking the Microsoft Active Directory resource of an OIM User, if you ran the AD User Target Delete Recon scheduled task, then the button to provision new Active Directory resources for the user was disabled. | This issue has been resolved. The button for provisioning new Active Directory resources |
| 7296381 | If Oracle Identity Manager was using Microsoft SQL Server, then a limit was imposed on the total character length of all the fields on the process form. During the connector installation process, this check was implemented when the Deployment Manager imports the connector XML files. If the combined length of the process form fields was determined to be more than 8060 characters, then the XML file is not imported.
To work around this requirement, the character lengths of some process form fields were kept less than their target system counterparts. For example, although the length of the Department field on the target system is 64 characters, the length of this field on the process form is 40 characters. |
This issue has been resolved. There is no limit imposed on the total character length of all the process form fields. |
| 9701457 | During provisioning operations, an error was encountered if the backslash (\) character was included in the cn field. | This issue has been resolved. The connector now supports the backslash character in the cn field during provisioning operations. |
| 9721873 | The Organization Does Not Exist error was encountered even when the organization name was specified on the process form. | This issue has been resolved. The error is not encountered if an organization name is specified on the process form. |
| 9747056 | On Microsoft ADAM, user provisioning failed if you did not specify a value for the userPrincipalName attribute. | This issue has been resolved. If you do not want to specify a value for the userPrincipalName attribute during provisioning operations, then you can remove this attribute from the mappings of Microsoft ADAM with Oracle Identity Manager. |
| 9772051 | The AD Group Recon scheduled task did not correctly handle multivalued attributes. | This issue has been resolved. The AD Group Recon scheduled task now correctly handles multivalued attributes. |
| 10042523 | The Remove Group Membership provisioning operation failed. | This issue has been resolved. The Remove Group Membership provisioning operation now works as expected. |
| 10209972 | If the Password Never Expires flag and other account options such Smart Card Is Required For Interactive Logon and Account Is Trusted For Delegation are set for a target system user account, then after reconciliation, the Password Never Expires flag for the corresponding OIM user is removed. | This issue has been resolved. After reconciliation, the Password Never Expires flag is removed only if this flag is removed in the corresponding target system user account. |
| 10400055 | Multivalued or child attributes that have been added to an OIM User as a result of a reconciliation run could not be deleted. | This issue has been resolved. |
| 10037039 | Certificate Store Location for WebLogic Server is not correct. | This issue has been resolved. The "Oracle WebLogic Server" row in Table 2-5, "Certificate Store Locations" has been modified. |
The following are the software updates in release 9.1.1.5:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Section 3.7.2, "Request-Based Provisioning" for more information.
The following are software updates in release 9.1.1.4:
The connector can be configured to reconcile deleted group data in the target resource (account management) mode of the connector. The AD Group Delete Recon scheduled task has been introduced to automate this process.
See "Scheduled Tasks for Target Resource Reconciliation" section for more information.
The following are issues resolved in release 9.1.1.4:
| Bug Number | Issue | Resolution |
|---|---|---|
| 9082833 | During reconciliation, changes made to the memberof attribute were ignored by the scheduled task. |
This issue has been resolved. Now, a reconciliation event is created for a user if all the user's groups are removed from the target system. |
| 9255469 | Reconciliation failed if the group or organization lookup reconciliation task is configured, so that the AttrName for Decode Value in Lookup is an optional attribute in the connector, and the value in AD entry does not exist. |
This issue has been resolved. If the value for the attribute, AttrName for Decode Value in Lookup of the scheduled task is not present in the target system then it is populated with the value mentioned in the AttrName for Code Value in Lookup attribute. |
| 9354692 | The port number for the backup server provided in the Lookup.AD.Backupservers lookup definition could not be configured. In this case, the default port number specified in the IT resource for the primary server was used for backup server. |
The issue has been resolved. The connector now supports backup servers with different port numbers. The Lookup definition, Lookup.AD.Backupservers has been removed. A new entry, BackupServerURL is now added to the Lookup.AD.Configuration lookup definition. You now have to specify the complete URL of the backup servers.
See Section 2.3.1.3, "Configuring High Availability of the Target System" for more information. |
| 8342317 | The groups deleted in the target system were not reconciled in Oracle Identity Manager. | The issue has been resolved. A new scheduled task AD Group Delete Recon is now created. When you run this scheduled task, all the deleted groups are identified and deleted from Oracle Identity Manager. |
| 9375631 | When an AD User resource object was disabled or enabled the corresponding Exchange User resource object was not disabled or enabled. In addition, the corresponding tasks for Exchange were not triggered. | The issue has been resolved now. When the AD User resource object is disabled or enabled the associated Exchange User resource object is also disabled or enabled. The corresponding tasks are triggered and successfully completed. |
| 8666572 | The dependent Exchange User resource object was not provisioned if the retry task was used while provisioning the AD resource object. | This issue has been resolved now. Both, the AD User and the Exchange User are now provisioned when you work with the retry task functionality. |
The following are software updates in release 9.1.1.1:
Support for Reconciliation and Provisioning Across Multiple Domains
Support for Configuring the Timeout Interval for Switching Between Domain Controllers
Support for Validating Data Sent to the Target System During Provisioning
Support for Configuring the Mapping of the User ID field for Microsoft ADAM
Support for Configuring the Reconciliation of an Object Containing More Than 1000 Entries
From this release onward, the connector can be installed and used on Oracle Identity Manager release 9.1.0.2 or later.
See "Certified Components" for information about the certified components.
From this release onward, the connector supports reconciliation and provisioning across multiple domains.
See "Enabling Reconciliation and Provisioning Operations Across Multiple Domains" for more information.
The Lookup.AD.BackupServers lookup definition was introduced in an earlier release. You use this lookup definition to specify the backup domain controllers with which Oracle Identity Manager must try to establish a link if the primary domain controller becomes unavailable. In this release, the LDAPConnectTimeOut entry has been added in the Lookup.AD.Configuration lookup definition. You can use this entry to specify the timeout interval after which the connector must start trying to establish a connection with the backup domain controllers.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.
From this release onward, you can configure validation of provisioning data before it is sent to the target system. For example, you can create a Java class that prevents special characters in the First Name attribute from being sent to the target system. To implement this feature, the UseFieldsValidation and ValidationLookupCode entries have been added in the Lookup.AD.Configuration lookup definition.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.
If the target system is Microsoft ADAM, then you can specify the field of the target system that you want to map to the User ID field of the Microsoft ADAM resource in Oracle Identity Manager. You specify the name of the target system field as the value of the OIMADAMUserID entry in the Lookup.AD.Configuration lookup definition. The default value of this entry is UserPrincipalName.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.
In earlier releases, you configured the MaxValRange parameter on the target system if you wanted to enable reconciliation of a user or group containing more than 1000 entries. From this release onward, you need not configure the MaxValRange parameter. Instead, you must set to yes the value of the UseEnableRange entry in the Lookup.AD.Configuration lookup definition. In addition, if the objects for which you want to reconcile more than 1000 entries belong to different objectClasses, then you can use the UserMultiValuedAttributeRangeSearchFilter and GroupMultiValuedAttributeRangeSearchFilter entries to specify the objectClasses.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for information about these entries.
The UserStatusEnabled entry has been added in the Lookup.AD.Configuration lookup definition. You can use this entry to specify that accounts that are created through target resource reconciliation must have either the Provisioned or Enabled status.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.
The following are issues resolved in release 9.1.1.1:
| Bug Number | Issue | Resolution |
|---|---|---|
| 8485448 | Multivalued attributes of groups were not reconciled. | This issue has been resolved. Multivalued attributes of groups are now reconciled. |
| 8453177 | A user with a disabled Microsoft Active Directory account could log in to Microsoft Active Directory after the Password Never Expires option was selected through a provisioning operation. | This issue has been resolved. A disabled Microsoft Active Directory account cannot be used to log in to Microsoft Active Directory even when the Password Never Expires option is selected. |
| 8560999 | A provisioning operation failed if the DN value sent to the target system contained the comma (,) character. | This issue has been resolved. A provisioning operation does not fail if the DN value sent to the target system contains the comma (,) character. |
| 8660526 | On Microsoft ADAM, a provisioning operation failed if the Manager DN value sent to the target system was in a custom DN format. | This issue has been resolved. Manager DN values in custom DN format can be sent to Microsoft ADAM.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information. |
| 8262055 | When you performed the first provisioning operation on an account created through reconciliation, then an additional task was run during the provisioning operation. | This issue has been resolved. No additional, unnecessary task is run when you perform provisioning operations. |
| 8446303 | The connector could not determine if a delayed response from the target system was the result of the target system not responding at all. There was no way of specifying a timeout interval. | This issue has been resolved. The LDAPSSLTimeOut entry has been added in the Lookup.AD.Configuration lookup definition. You use this entry to specify the timeout interval (in milliseconds) for setting up an SSL connection with the target system.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information. |
| 8669801 | During a provisioning operation, if an OU was not specified, then cn=users was taken as the default OU. | This issue has been resolved. If an OU is not specified during a provisioning operation, then a message prompting you to enter an OU is displayed. |
| 8831669 | The islookupDN option allowed you to specify whether you wanted to use the full DN or only the CN. | From this release onward, only the full DN value is accepted. The islookupDN option has been removed. |
| 8669811 | At the end of the Create User provisioning operation, the getObjectGUIDCreated process task was run to fetch the objectGUID value from the target system. If, for any reason, this task was rejected, then tasks that were dependent on this task were also rejected. | This issue has been resolved. The getObjectGUIDCreated task has been removed. Instead of this task, an Oracle Identity Manager API is used to fetch the objectGUID value. |
| 8875173 | You could not configure handling of special characters for provisioning operations. | This issue has been resolved. You can now use the SpecialCharacters entry in the Lookup.AD.Configuration lookup definition to specify special characters that must not be modified. In other words, the special characters you specify are sent to the target system without any modification by the connector.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information. |
| 8615413 | The method name captured in some log messages was incorrect. | This issue has been resolved. All log messages now show the correct method name. |
| 8569018 | The basic connectivity test failed if the user name specified in the IT resource contained space characters. | This issue has been resolved. The basic connectivity test does not fail if the user name in the IT resource contains space characters. |
| 7551980 | Data logged for error scenarios did not provide sufficient detail. | This issue has been resolved. Log messages have been made more descriptive. In addition, the stack trace is captured for some error scenarios. |
| 8666321 | During a reconciliation run, the ADCS TimeStamp attribute of the scheduled task was updated after each user record was reconciled. | This issue has been resolved. The ADCS TimeStamp attribute is updated only at the end of the reconciliation run. |
The following are software updates in release 9.1.1:
Microsoft Active Directory 2008 Added to the List of Certified Target Systems
Updates Related to Changes in the Architecture of the Password Synchronization Connector
Linking of Entries Stored in Lookup Definitions with Target System Installations
Addition of the Search Base, Search Filter, and Search Scope Attributes in All the Scheduled Tasks
From this release onward, Microsoft Active Directory 2008 installed on Microsoft Windows Server 2008 with SP2 and later service packs has been added to the list of certified target systems. This has been mentioned in the "Certified Components" section.
From this release onward, Oracle Identity Manager release 9.1.0.1 is the minimum supported Oracle Identity Manager release. This is mentioned in the "Certified Components" section.
The architecture of the password synchronization connector has been completely overhauled in release 9.1.1. The following changes have been made in the IT resource:
The ADPWSYNCH ADFlag ADPWSYNCH OIMFlag, and ADPWSYNCH Installed parameters have been removed.
To control propagation of passwords to the target system during provisioning operation, the Allow Password Provisioning parameter has been added.
See "Configuring the IT Resource for the Target System" for more information.
From this release onward, the connector supports group provisioning operations. The following changes have been made:
The AtMap ADGroup parameter has been added in the IT resource. This parameter holds the name of the lookup definition that stores group field mappings between Oracle Identity Manager and the target system. These field mappings are listed in the "Group Fields for Provisioning" section.
From this release onward, the connector supports reconciliation of group data. The AD Group Recon scheduled task is used to automate reconciliation of group data.
See the following sections for more information:
From this release onward, the IT resource name is added as a prefix to values stored in lookup definitions that are synchronized with the target system. During a provisioning operation, lookup fields are populated with values corresponding to the target system installation that you select for the operation.
See "Lookup Fields Used During Connector Operations" for more information.
The UPN Domain parameter has been added in the IT resource. You can use this parameter to specify the domain for users. In addition, the User Principal Name field has been added on the process form. This is a mandatory field. See "Configuring the IT Resource for the Target System" for more information.
The AD.Parameters lookup definition has been renamed to "Lookup.AD.Configuration." In addition, new entries that hold the names of the process form and the process form fields used for matching user records have been added in this lookup definition. If you create a copy of the process form, then you can specify details of the new process form in the copy of the Lookup.AD.Configuration lookup definition. This feature enables you to create multiple copies of the connector without making code-level changes.
See the following sections for more information:
You use the Query attribute of the user reconciliation scheduled tasks to specify the query condition that must be applied during reconciliation. In earlier releases, you used the isNativequery attribute to specify that the query condition was in native LDAP format. From this release onward, you can use only native LDAP queries. The Use Native Query attribute has been removed from the scheduled tasks.
See "Limited Reconciliation vs. Regular Reconciliation" for more information.
The Lookup.AD.Constants lookup definition stores the constants and variables defined in the Java classes that constitute the connector.
Caution:
You must not change any entry in the Lookup.AD.Constants lookup definition. If you change any entry, then the connector will not function correctly.The name of this lookup definition is specified as the value of the Constants Lookup Code Key in the Lookup.AD.Configuration lookup definition.
From this release onward, you can specify the subset of records that must be reconciled from the target system. The Search Base, Search Filter, and Search Scope attributes have been added in all scheduled tasks except the scheduled tasks for reconciliation of deleted users. See "Reconciliation Scheduled Tasks" for more information.
The following are issues resolved in release 9.1.1:
| Bug Number | Issue | Resolution |
|---|---|---|
| Bugs 7489859 and 7455700 | The cn value of a user could not be changed through a provisioning operation on Oracle Identity Manager. | This issue has been resolved. The Common Name field has been introduced on the process form. This field is mapped to the cn field of the target system. Like the Full Name field, the Common Name field is populated with a value in the following format:
FIRST_NAME MIDDLE_NAME LAST_NAME For example:
You can modify this field through provisioning operations. This field has been added for both Microsoft Active Directory and ADAM. See the following sections for more information: |
| 5404679 | If a user was a member of more than 1000 groups, then the user could not be reconciled. | This issue can be resolved by changing the value of the MaxValRange parameter on the target system. |
| 7673487 | You could not create and use a new process form. You could only use the predefined process form. | This issue has been resolved. The Lookup.AD.Configuration lookup definition has been extended to include the following entries:
If you create a process form, then you must provide values for these entries. See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information. |
| 7336488 | You could not specify the Oracle Identity Manager organization into which you wanted to reconcile group records.
Note: This issue was encountered in an earlier patch release of the connector in which group data reconciliation had been implemented. |
This issue has been resolved. The following attributes have been included in the AD Group Recon scheduled tasks:
See "AD Group Recon" for more information. |
| 7693562 and 8205269 | During provisioning operations, the Organization Name field is populated with values from the Lookup.ADReconciliation.Organization lookup definition. In the earlier release, instead of Decode values, Code Key values were displayed in the Organization Name field on the Administrative and User Console. | This issue has been resolved. Decode values of the lookup definition are displayed during provisioning operations. |
| 8269888 | You use the LdapUserDNPrefix entry in the Lookup.AD.Configuration lookup definition to specify the LDAP attribute for forming the relative DN or user account DN. This DN value forms the logon attribute for creating the user.
In the earlier release, this feature did not work if you changed the value from cn to any other attribute. |
This issue has been resolved. You can now change the value of the LdapUserDNPrefix parameter from cn to any other attribute. See "Configuring the Lookup.AD.Configuration Lookup Definition" for information about the LdapUserDNPrefix parameter. |
| 8222203 | Suppose you provisioned a Microsoft Active Directory resource to an OIM User and then changed the user ID of the account on the target system. During the next reconciliation run, no match was found with the resource on Oracle Identity Manager. | This issue has been resolved. The reconciliation rule for target resource reconciliation has been modified so that the objectGUID of the account on the target system is first compared with the objectGUID of the resource on Oracle Identity Manager. See "Reconciliation Rules for Target Resource Reconciliation" for more information. |
| 7668437 | The Disable User provisioning operation failed if the Full Name field contained the slash (/) character. | This issue has been resolved. The Disable User provisioning operation works even if the Full Name field contains the slash (/) character. |
| 7540967 | The following is the format of the time-stamp filter applied to each target system record during reconciliation:
When this filter was applied, a record that was added or modified at the instant the reconciliation run ended was also reconciled. However, the application of the time-stamp filter caused the same record to be reconciled during the next reconciliation run. |
This issue has been resolved.
The time-stamp filter cannot be changed to the following:
As a workaround, one second is added to the time stamp recorded in the IT resource before the filter is applied during a reconciliation run. In other words, the filter is changed to the following:
Application of this filter ensures that a record reconciled at the end of a reconciliation run is not reconciled during the next reconciliation run. |
| 7384799 | During a Create User provisioning operation, if you specified a group to which you wanted to assign the user, then the provisioning operation failed. | This issue has been resolved. You can now specify the group to which you want to assign a user during a provisioning operation. |
| 7320836 | Target resource reconciliation in batched mode stopped prematurely, even though no error was encountered. | This issue has been resolved. |
The following are software updates in release 9.1.0.1:
You can now enable the reconciliation of manager IDs from the target system during trusted source reconciliation. Manager ID values are stored in the Manager Login field of the OIM User form.
The following are issues resolved in release 9.1.0.1:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7235815 | Reconciliation of a user record failed if the Full Name field contained commas. | This issue has been resolved. You can now reconcile records even if the Full Name field contains commas. |
| 7314549 and 7408391 | A provisioning operation failed if you entered the comma (,) or slash (/) characters in the Full Name field. | This issue has been resolved. You can now enter special characters in the Full Name field during provisioning operations. |
| 7324176 | If the MaintainHierarchy attribute was set to yes, then the value specified for the User Search Base attribute had to be an OU (of the form ou=abc,dc=...). If the value of the User Search Base attribute was a domain controller name (of the form dc=xyz,dc=com), then organization hierarchy was not maintained during reconciliation. |
This issue has been resolved. Organization hierarchy can be maintained during reconciliation even if the value of the User Search Base attribute is a domain controller name. For more information, see the description of the Search Filter attribute in "AD Organization Recon". |
| 7448615 | During target resource reconciliation, if no match was found between a particular target system record and any existing OIM Users, then the RowIndexOutBounds exception was thrown. | This issue has been resolved. If no match is found, then an error message is recorded in the log file and reconciliation continues. |
| 7450317 | On the target system, if you do not want to set an expiry date for a user's account, then you enter Never in the Expiry Date field. This action is the same as setting the expiry date to 1-Jan-1970. Similarly, on Oracle Identity Manager, you leave the Expiry Date process form field empty if you do not want to set an expiry date for the user's target system account.
If the client computer and the target system host are set to different time zones, then the connector converts time stamp values sent from the client computer to GMT-relative time stamp values before storing them in the target system database. This conversion sometimes caused the |
This issue has been resolved. If you do not specify a value in the Expiry Date process form field, then the time zone part of the time stamp value is set to GMT (that is, GMT+00:00). Time zone conversion does not take place before the date value is stored in the target system database.
See Bug 7518734 in the "Known Issues" chapter for information about a limitation related to this fix. |
| 7328972 | During a provisioning operation, a user could not be made a member of a group whose name contained special characters. | This issue has been resolved. See Table 1-9 for information about special characters that are supported in the Group Name field. |
| 7320836 | During reconciliation of a large number of records, the reconciliation run would sometimes stop automatically and no error was thrown. In addition, no attempt was made to reestablish the connection to resume the reconciliation run. | This issue has been resolved. The number of records to be reconciled is determined at the start of a reconciliation run. Whenever the connection fails during the reconciliation run, an attempt is made to reestablish the connection and resume reconciliation. This process is repeated until the number of records reconciled is equal to the number of records identified for reconciliation at the start of the run. |
The following are issues resolved in release 9.1.0:
Introduction of Scheduled Task for Reconciliation of Deleted User Records
Support for Provisioning Users to User-Defined Object Classes
Support for Deprovisioning of Users That Have Associated Leaf Nodes on the Target System
Support for the Application of Native LDAP Queries During Reconciliation
Support for High-Availability Configuration of the Target System
Support for Terminal Services Profile Fields of the Target System
Support for the E-Mail Redirection Feature in Microsoft Active Directory
The connector can be used to integrate both Microsoft Active Directory and Microsoft Active Directory Application Mode (ADAM) with Oracle Identity Manager.
Information specific to the Microsoft ADAM has been provided at various places in this guide.
You can now install the connector by using the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
See "Running the Connector Installer" for more information.
In the trusted source reconciliation mode, the connector can be configured to reconcile details of organizations on the target system. The AD Organization Recon scheduled task has been introduced to automate organization reconciliation.
See the following sections for more information:
In the target resource mode, the connector can be configured to fetch the names of organizations on the target system and populate a lookup definition in Oracle Identity Manager.
See "Scheduled Tasks for Lookup Field Synchronization" for more information.
The connector can be configured to reconcile deleted user data in both account management (target resource) and identity reconciliation (trusted source) modes. The AD User Target Delete Recon and AD User Trusted Delete Recon scheduled tasks have been introduced to automate this process.
See the following sections for more information:
In earlier releases, the same scheduled task was used for target resource and trusted source reconciliation. In this release, the following scheduled tasks have been introduced:
AD User Target Recon
This scheduled task is used to fetch user data in the target resource mode. See "Scheduled Tasks for Target Resource Reconciliation" for information about this scheduled task.
AD User Target Delete Recon
This scheduled task is used to fetch data about deleted users in the target resource mode. During a reconciliation run, for each deleted user account on the target system, the corresponding AD User resource is revoked for the OIM User. See "Scheduled Tasks for Target Resource Reconciliation" for information about this scheduled task.
AD User Trusted Recon
This scheduled task is used to fetch user data in the trusted source mode. See "Scheduled Tasks for Trusted Source Reconciliation" for information about this scheduled task and its attributes.
AD User Trusted Delete Recon
This scheduled task is used to fetch data about deleted users in the trusted source mode. During a reconciliation run, for each deleted target system account, the corresponding OIM User is deleted. See "Scheduled Tasks for Trusted Source Reconciliation" for information about this scheduled task and its attributes.
In addition to support for the traditional testing utility, this connector supports the Diagnostic Dashboard. You can use this tool to test basic functionality of the connector.
See "Using the Diagnostic Dashboard" for more information.
By default, the target system uses the user object class. You can use the Lookup.AD.Configuration lookup definition to include user-defined object classes on the target system in reconciliation and provisioning operations.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.
A user on the target system can have other users defined as its leaf nodes. You can configure the connector to perform one of the following actions when the user is deleted on Oracle Identity Manager:
Delete the user and its leaf nodes from the target system.
Display a message stating that the user has leaf nodes.
This feature is implemented through the isUserDeleteLeafNode parameter of the IT resource for the target system. See "Configuring the IT Resource for the Target System" for information about this parameter.
In the earlier release, you specify the query condition for limited reconciliation by using operators that are not native to the target system. You can now specify the query condition using either non-native or native operators.
See "Limited Reconciliation vs. Regular Reconciliation" for more information.
The connector can be configured for compatibility with high-availability target system environments. It can read information about backup target system hosts from the Lookup.AD.BackupServers lookup definition and apply this information when it is unable to connect to the primary host.
See "Configuring High Availability of the Target System" for more information.
In the target resource mode, a Remote Manager can be used in conjunction with the connector to enable reconciliation from and provisioning to the Terminal Services fields of the target system. In addition, you can add Environment, Remote Control, and Sessions fields for reconciliation and provisioning.
See the following sections for more information:
You can add both single-valued and multivalued fields for target resource reconciliation and provisioning.
See the following sections for more information:
This connector supports the Multiple Trusted Source Reconciliation feature of Oracle Identity Manager release 9.1.0 and later. See "Configuring the Connector for Multiple Trusted Source Reconciliation" for more information.
You can use the E-mail Redirection feature to specify an alternative (redirection) e-mail address for a user. E-mail sent to the user is automatically directed to the account specified by the redirection e-mail address.See "Guidelines on Performing Provisioning Operations" for more information.
The following sections discuss documentation-specific updates:
The following is a documentation-specific update made in revision "18" of release 9.1.1.7:
The period (.) symbol has been added to Table B-1, "Special Characters That Can Be Used in the Password Field".
The following documentation-specific updates have been made in revision "17" of release 9.1.1.7:
The "Oracle Identity Manager" row of Table 1-1, "Certified Components" has been modified.
Section 1.2, "Usage Recommendation" has been added.
The following documentation-specific updates have been made in revision "16" of release 9.1.1.7:
Information in the "Organization Name" row under the "Process Form Field" column in Table 1-8, "User Fields for Provisioning", has been modified.
Bug 17365924 has been listed as a known issue in Chapter 6, "Known Issues."
In Section 4.10, "Adding New Fields for Trusted Source Reconciliation," under the procedure for "Adding a new field for trusted source reconciliation", steps 3.f and 3.g have been added.
The following documentation-specific updates have been made in revision "15" of release 9.1.1.7:
In Section 2.2.1.2, "Copying the ldapbp.jar File," the procedure to copy the JAR file on Oracle Identity Manager release 11.1.1 has been modified.
Section 2.3.1.3, "Configuring High Availability of the Target System," has been modified.
In Section 4.5, "Adding New Multivalued Fields for Provisioning," a new step has been added.
In Section 4.15, "Configuring the Connector for Multiple Installations of the Target System," information has been added to the note.
In "Known Issues" chapter, the issue tracked by bug 11904573 has been added.
In Chapter 2, "Deploying the Connector," the "Oracle WebLogic Server" row in Table 2-5, "Certificate Store Locations" has been modified.
In Table 1-1, one of the target system host platforms has been updated as follows:
Microsoft Windows Server 2008 Active Directory installed on Microsoft Windows Server 2008 R2
The "Oracle Identity Manager" row in Table 1-1, "Certified Components" has been modified.
A note has been added in the "Files in the DataSets directory" row of Table 2-1, "Files and Directories On the Installation Media".
The following sections have been added:
Instructions specific to Oracle Identity Manager release 11.1.2.x have been added in the following sections:
Section 2.1.1.1, "Files and Directories On the Installation Media"
Section 2.2.1.3, "Configuring the IT Resource for the Target System"
Section 2.2.2.3, "Enabling Client-Side Authentication for the Remote Manager"
Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache"
Section 2.3.3.1, "Creating the IT Resource for the Remote Manager"
Section 2.3.3.4, "Verifying That the Remote Manager Is Running"Section 2.3.1.2.2, "Enabling Logging on Oracle Identity Manager Release 11.1.1 or 11.1.2.x"
Section 4.2, "Adding New Fields for Target Resource Reconciliation"
Section 4.3, "Adding New Multivalued Fields for Target Resource Reconciliation"
Section 4.5, "Adding New Multivalued Fields for Provisioning"
There are no documentation-specific updates in release 9.1.1.5.
The following are documentation-specific updates in release 9.1.1.4:
The "Configuring High Availability of the Target System"section has been updated.
In the "Setting Up the Target System Certificate As a Trusted Certificate" section, an example to import the target system certificate into the certificate store of the Oracle Identity Manager host computer has been added.
In Table 3-1, new attributes have been added.
In the "Limited Reconciliation vs. Regular Reconciliation" section, a new recon query has been added.
The following are documentation-specific updates in release 9.1.1.1:
In the "Limited Reconciliation vs. Regular Reconciliation" section, the NOT operator has been included in the list of operators that can be used to create the query.
In the "Known Issues" chapter, the issue tracked by Bug 8976436 has been added.
In Section 1.1, "Certified Components," the JDK requirement has been added.
The following are documentation-specific updates in release 9.1.1:
In the "Known Issues" chapter:
Bug 7518734 has been removed. The issue described by this bug was addressed when Bug 7450317 was resolved in release 9.1.0.1.
Descriptions for Bugs 7126712, 8346302, 7207232, and 6736667 have been added.
In the "Installing the Remote Manager" section, information about location for installing Remote Manager has been modified.
Microsoft Windows 2000 is no longer a supported host for the target system. All occurrences of "Microsoft Windows 2000" have been removed from this guide.
In the "Certified Components" section, changes have been made in the "Target systems and target system host platforms" row.
In the "User Provisioning Functions Supported by the Connector" section, the following functions have been added to the list of supported provisioning functions:
Create OU
Rename OU
Move OU
Delete OU
Major changes have been made in the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usabiliy of information provided by the guide.
See "Roadmap for Deploying and Using the Connector" for detailed information about the organization of content in this guide.