Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Microsoft Exchange as a managed (target) resource of Oracle Identity Manager.
Note:
At some places in this guide, Microsoft Exchange has been referred to as the target system.In the account management mode of the connector, information about mailboxes created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform mailbox provisioning operations on the target system.
This chapter contains the following sections:
Table 1-1 lists the certified deployment configurations.
Table 1-1 Certified Deployment Configurations
Item | Requirement |
---|---|
You can use one of the following releases of Oracle Identity Manager:
|
|
The target system can be any one or a combination of the following:
|
|
The target system host platform can be any one of the following:
|
|
JDK |
The JDK requirement is as follows:
|
Other systems |
Microsoft Active Directory User Management connector You must deploy the Microsoft Active Directory User Management connector before you can deploy and use the Microsoft Exchange connector. In addition, you must ensure that SSL is configured for the Microsoft Active Directory User Management connector. See Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for instructions to deploy the Microsoft Active Directory connector. |
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
If you are using an Oracle Identity Manager release that is later than release 9.1.0.1 and earlier than Oracle Identity Manager 11g Release 1 (11.1.1.5.6), then you must use the 9.1.1.x version of this connector.
If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later, or Oracle Identity Manager 11g Release 2 (11.1.2.0.6) or later, then use the 11.1.1.x version of this connector. However, if you are using Microsoft Exchange 2003, then you must use the 9.1.1.x versions for both Microsoft Active Directory User Management and Microsoft Exchange connectors.
If you are using Oracle Identity Manager 11g Release 2 (11.1.2.0.4) or later, then you must perform the steps mentioned in MetaLink note 1535369.1 to ensure the connector works as expected.
If you are using the Microsoft Exchange 9.1.x connector, then you must use the Microsoft Active Directory 9.1.x connector, and if you are using the Microsoft Exchange 11.1.1.x connector, then you must use the Microsoft Active Directory 11.1.1.x connector.
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
For information about supported special characters supported by Oracle Identity Manager, see one of the following guides:For Oracle Identity Manager release 9.1.0.x:
Oracle Identity Manager Globalization Guide
For Oracle Identity Manager release 11.1.x:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
This section discusses the following topics:
The Section 1.4.1, "Connector Architecture" describes the architecture of the connector.
The following sections describe the features of the managed resource mode of the connector:
This section discusses the following topics:
Note:
In Oracle Identity Manager release 11.1.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.x.See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
Section 1.4.1.2, "Architecture of the Connector for Microsoft Exchange 2007"
Section 1.4.1.3, "Reconciliation and Provisioning of Mailboxes Across Multiple Domains"
Note:
The connector requires the deployment of a Microsoft Active Directory User Management connector. The user account data is stored in Microsoft Active Directory. Before you can provision a Microsoft Exchange mailbox for a user, you must create an account for the user in Microsoft Active Directory. The Microsoft Exchange connector uses the data in Microsoft Active Directory during the mailbox provisioning operation. This means that the connector can be configured only in the account management mode, which involves target resource reconciliation and provisioning with Microsoft Exchange.Microsoft Exchange uses Microsoft Active Directory as a user repository to store information about a user's mailbox, mail stores, and storage groups.
Figure 1-1 shows the architecture of the connector for Microsoft Exchange 2000 and Microsoft Exchange 2003.
Figure 1-1 Architecture of the Connector for Microsoft Exchange 2000 and Microsoft Exchange 2003
During a provisioning operation, the adapters create a mailbox for a user by setting the Exchange-specific attributes in the user's Active Directory profile. This information is used by the Recipient Update Service (RUS), a component in the Exchange 2000 and Exchange 2003, to generate the SMTP and other e-mail addresses required to allow users to log in to their mailboxes. For more information about the RUS, visit the Microsoft Help and Support Web site at
During reconciliation, scheduled tasks fetch user mailbox and mail store data from the target system into Oracle Identity Manager.
Microsoft Exchange 2007 uses Microsoft Active Directory to store information about user mailboxes, mail stores, and Microsoft Exchange servers. Unlike Microsoft Exchange 2000 and 2003, Microsoft Exchange 2007 does not contain the RUS. Microsoft Exchange 2007 uses the Exchange Management Shell to carry out Exchange administration activities including mailbox management.
Figure 1-2 shows the architecture of the connector for Microsoft Exchange 2007.
Figure 1-2 Architecture of the Connector for Microsoft Exchange 2007
Microsoft Exchange 2007 requires the Exchange Management Shell (based on Windows Power Shell) to create mailboxes. Oracle Identity Manager uses a Remote Manager to communicate with the Exchange Management Shell. During provisioning operations, the adapters execute a Power Shell script through the Remote Manager to create or modify mailboxes.
During reconciliation, scheduled tasks fetch the user mailbox and mail store data from the target system into Oracle Identity Manager.
See Also:
For more information about Remote Managers, refer to:The "Remote Manager Form" section in one of the following guides:
For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.x: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
The "Back-End System Integration Tier" section in one of the following guides:
For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.x: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
The connector supports reconciliation and provisioning of mailboxes for users across multiple Microsoft Active Directory domains. For example, users on Domain 1 and Domain 2 can have mailboxes in the same Microsoft Exchange installation. Oracle Identity Manager can reconcile from and provision mailboxes for users who belong to each of these domains. Figure 1-3 illustrates this sample scenario.
Figure 1-3 Reconciliation and Provisioning of Mailboxes for Users Across Multiple Domains
During a provisioning operation, you use a lookup field to specify a single value from a set of values. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system mail store data into the lookup definitions in Oracle Identity Manager.
Note:
As an implementation best practice, lookup fields should be synchronized before you perform reconciliation or provisioning operations.Table 1-2 lists the lookup fields that are synchronized with their corresponding lookup definitions in Oracle Identity Manager.
Table 1-2 Lookup Definitions Created in Oracle Identity Manager
Lookup Definition | Target System Field | Method to Specify Values for the Lookup Definition |
---|---|---|
AtMap.Exchange |
All the fields used during provisioning |
You manually add or update entries in this lookup definition. If the value in this lookup does not work on the target system, then you must update the lookup with the correct value. This lookup definition contains mappings between the LDAP attributes of the target system and their corresponding process form fields in Oracle Identity Manager. |
Lookup.Exchange.Configuration |
Values of parameters used during provisioning and reconciliation |
You use this lookup definition to specify parameters that are used during both reconciliation and provisioning. This lookup definition is discussed in Section 3.2, "Configuring the Lookup.Exchange.Configuration Lookup Definition." |
Lookup.ExchangeReconciliation.MailStore |
All mail stores of the target system |
You use the Exchange Mail Store Lookup Reconciliation scheduled task to synchronize this lookup definition. This scheduled task is discussed in Section 3.3, "Scheduled Task for Lookup Field Synchronization." The format of entries stored in this lookup definition is as follows: Code Key: IT_RESOURCE_KEY~FORMATTED_MAILSTORE_DN Decode: IT_RESOURCE_NAME~MAILSTORE_DN |
Lookup.Deleted Item Manager |
The deletedItemFlags field of the users |
You manually add or update entries in this lookup definition. You use this lookup definition to modify attributes in the Deleted item retention section of the target system. |
Lookup.Hide From Address list |
The msExchHideFromAddressLists field of the users |
You manually add or update entries in this lookup definition. You use this lookup definition to specify if the user data is displayed in the Address list of the target system. |
Lookup.Use Default Storage |
The mDBUseDefaults field of the users |
You manually add or update entries in this lookup definition. You use this lookup definition to specify whether or not the default storage values of mailboxes are used. |
Lookup.Exchange.Constants |
NA |
This lookup definition stores constants and variables defined in the Java classes that constitute the connector. Caution: You must not change any entry in this lookup definition. If you change any entry, then the connector will not function correctly. |
In the managed account mode, the connector can be used to perform target resource reconciliation and provisioning.
Target resource reconciliation involves fetching data about newly created or modified mailboxes on the target system and using this data to create or modify mailbox resources assigned to OIM Users. The Exchange Reconciliation Task scheduled task is used to start target resource reconciliation runs. This scheduled task is discussed in Section 3.4.3, "Reconciliation Scheduled Tasks."
See Also:
The "Target Resource Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliationThis section discusses the following topics:
Section 1.4.3.1, "Types of Reconciliation Enabled by the Connector"
Section 1.4.3.2, "Mailbox Fields for Target Resource Reconciliation"
Based on the type of data reconciled from the target system, reconciliation can be divided into the following types:
Section 1.4.3.1.1, "Reconciliation of Mailbox Data from Mail Stores"
Section 1.4.3.1.2, "Reconciliation of Mailbox Data from Distribution Groups"
During this type of reconciliation, mailbox data is fetched either from all mail stores configured with the Microsoft Active Directory server on which Microsoft Exchange is enabled, or from mail stores specified in the Exchange Reconciliation Task scheduled task.
You can reconcile mail store data individually from Microsoft Exchange 2000, 2003, or 2007. Alternatively, you can use the connector to integrate Oracle Identity Manager with a combination of different Microsoft Exchange versions, such as Exchange 2003 and 2007. This is known as the mixed mode setup.
In a mixed mode scenario, Microsoft Active Directory user objects are stored on Microsoft Active Directory and mailboxes of Microsoft Active Directory users are stored on different Microsoft Exchange installations. For example, user1 and user2 can belong to the same Microsoft Active Directory instance while having a mailbox in Microsoft Exchange 2003 and Microsoft Exchange 2007, respectively.
During this type of reconciliation, mailbox data is fetched from all or specific distribution groups specified in the Exchange Reconciliation Task scheduled task. If you want to fetch mailbox data from a specific distribution group, then you can perform query-based reconciliation of mailbox data from distribution groups.
You can also perform distribution group reconciliation and query-based distribution group reconciliation for Microsoft Exchange 2000 and 2003, or you can perform distribution group reconciliation and dynamic distribution group reconciliation for Exchange 2007 a mixed mode setup.
Table 1-3 lists the mailbox fields from which values are fetched during a target resource reconciliation run.
Table 1-3 Mailbox Fields for Target Resource Reconciliation
Process Form Field | Target System Field | Description |
---|---|---|
Deleted Item Manager |
deletedItemFlags |
Number of items in the Deleted Items folder |
Display Name |
displayName |
Name of a user as displayed in the address book This is usually a combination of the user's first name, middle initial, and last name. |
Email Alias Note: This is a mandatory field. |
mailNickname |
Mailbox alias, which is generally the same as sAMAccountName Note: sAMAccountName is the user login for Microsoft Active Directory. |
Garbage Collection Period |
garbageCollPeriod |
Time interval, in days, between garbage collection runs This field corresponds to the "Keep deleted items for (days)" field value on the target system. |
Hide From Address Lists |
msExchHideFromAddressLists |
Specifies if the user appears in address lists |
Mailbox Size Receipt Quota |
mDBOverHardQuotaLimit |
Maximum mailbox size, in KB, over which sending and receiving e-mail is disabled This field corresponds to the Prohibit send and receive at (KB) field on the target system. |
Mailbox Size Transmit Quota |
mDBOverQuotaLimit |
Mailbox quota overdraft limit, in KB This field corresponds to the Prohibit send at (KB) field on the target system. |
Mailbox Warning Size |
mDBStorageQuota |
Message database quota, in KB This field corresponds to the Issue warning at (KB) field on the target system. |
Major Business Number |
telephonenumber |
Primary office phone number |
Max Incoming Message Size |
delivContLength |
Maximum incoming message size, in KB |
Max Outgoing Message Size |
submissionContLength |
Maximum outgoing message size, in KB |
Max Recipients Per Message |
msExchRecipLimit |
Maximum number of recipients of a single e-mail |
Mobile Number |
mobile |
Primary mobile phone number |
Object GUID |
objectGUID |
GUID based on the current time stamp assigned to an object |
Other Business Number |
otherTelephone |
Alternative office phone number |
Pager Number |
pager |
Primary pager number |
Use Storage Defaults |
mDBUseDefaults |
Specifies whether or not the mailbox store must use the default quota, instead of the per-mailbox quota This field corresponds to the Use mailbox store defaults field on the target system. |
|
proxyAddresses |
Primary e-mail address |
Log On Name |
userPrincipalName |
User Principal name |
Mail Store Name |
homeMDB |
Mail store database name of the user |
DB User Defaults |
mDBUseDefaults |
User database size defaults |
The following is the default reconciliation rule for this connector:
Rule Name: Exchange Recon
Rule Element: User Login Equals sAMAccountName
In this rule:
User Login is the User ID field on the OIM User form.
sAMAccountName is the User ID field of Microsoft Active Directory. Microsoft Exchange uses the same User ID during reconciliation.
After you deploy the connector, you can view the reconciliation rule for the connector by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for Exchange Recon. Figure 1-4 shows the reconciliation rule for the connector.
Figure 1-4 Reconciliation Rule for the Exchange Connector
Table 1-4 lists the action rules for target resource reconciliation.
Table 1-4 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
After you deploy the connector, you can view the action rules for the connector by performing the following steps:
Note:
For any rule condition that is not predefined for this connector, Oracle Identity Manager will neither perform any action nor log an error.Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Exchange resource object.
Click the Object Reconciliation tab, and then the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-6 shows the reconciliation action rules for the connector.
Figure 1-5 Reconciliation Action Rules for the Connector
Provisioning involves creating or modifying mailbox data on the target system through Oracle Identity Manager.
See Also:
The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioningThis section discusses the following topics:
Table 1-5 lists the supported mailbox provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.
See Also:
Oracle Identity Manager Connector Concepts for generic information about adaptersTable 1-5 Mailbox Provisioning Functions Supported by the Connector
Function | Adapter |
---|---|
Create a mailbox |
MEXC Create Mailbox. The following adapters are triggered before the MEXC Create Mailbox adapter is triggered:
If the mailbox is successfully created, then the following adapters are triggered:
|
Delete a mailbox |
MEXC Delete Mailbox |
Update the Deleted Item Manager |
MEXC Update User Property |
Update a display name |
MEXC Update User Property |
Update an e-mail alias |
MEXC Update User Property |
Update the garbage collection period (Days) |
MEXC Update User Property |
Update the "hide from address lists" field |
MEXC Update User Property |
Update the mailbox size receipt quota (KB) |
MEXC Update User Property |
Update the mailbox size transmit quota (KB) |
MEXC Update User Property |
Update the mailbox warning size (KB) |
MEXC Update User Property |
Update a major business number |
MEXC Update User Property |
Update the maximum incoming message size (KB) |
MEXC Update User Property |
Update the maximum outgoing message size (KB) |
MEXC Update User Property |
Update the maximum recipients per message |
MEXC Update User Property |
Set Exchange-related properties |
MEXC Update User Property |
Update the use storage defaults |
MEXC Update User Property |
Get ObjectGUID from Process |
MEXC Get Value From User Process |
Update a mobile number |
MEXC Update User Property |
Update any other business number |
MEXC Update User Property |
Update a pager number |
MEXC Update User Property |
Update a primary e-mail address |
MEXC Set Primary Email |
Disable Mail box |
MEXCDisableMailBox |
Enable Mail box |
MEXCEnableMailBox |
Table 1-6 lists the mailbox fields used for provisioning. These fields are used in provisioning operations performed on Microsoft Exchange 2000, Microsoft Exchange 2003, and Microsoft Exchange 2007.
Table 1-6 Mailbox Fields Used in Provisioning
Process Form Field | Microsoft Exchange Field | Description | Adapter |
---|---|---|---|
Deleted Item Manager |
deletedItemFlags |
Number of items in the Deleted Items folder If this field is not available or if its value is 0 (zero), then the "Use mailbox store defaults" check box on the target system is automatically selected. If this field is available and its value is non zero, then the "Use mailbox store defaults" check box on the target system is automatically deselected. If the value of this field is 3, then the "Do not permanently delete items until the store has been backed up" check box is automatically selected on the target system. If the value is other than 3, then the "Do not permanently delete items until the store has been backed up" check box is automatically deselected. Note: The non zero value can be configured in the Lookup.Deleted Item Manager lookup definition. This depends on the value of the field on the target system. |
MEXC Update User Property |
Display Name |
displayName |
Name of a user as displayed in the address book This is usually a combination of the user's first name, middle initial, and last name. |
MEXC Update User Property |
Garbage Collection Period (Days) |
garbageCollPeriod |
Time interval, in days, between garbage collection runs. This field corresponds to the Keep deleted items for (days) field value on the target system. The value of the Keep deleted items for (days) field takes effect only when the Deleted Item Manager field value is non zero. |
MEXC Update User Property |
Email Alias Note: This is a mandatory field. |
mailNickname |
Mailbox alias, which is generally the same as sAMAccountName |
MEXC Update User Property |
Hide From Address Lists |
msExchHideFromAddressLists |
Specifies if the user appears in address lists Default value: Note: This field is not used during mailbox creation. It can be used only during a mailbox update. |
MEXC Update User Property |
Mailbox Size Receipt Quota (KB) |
mDBOverHardQuotaLimit |
Maximum mailbox size, in KB, over which sending and receiving e-mail is disabled This field corresponds to the Prohibit send and receive at (KB) field on the target system. Default value: 0 Note: If you want to specify a mailbox size receipt quota, then set the value of the Use Storage Defaults field as |
MEXC Update User Property |
Mailbox Size Transmit Quota (KB) |
mDBOverQuotaLimit |
Mailbox quota overdraft limit, in KB This field corresponds to the Prohibit send at (KB) field on the target system. Default value: Note: If you want to specify a mailbox size receipt quota, then set the value of the Use Storage Defaults field as |
MEXC Update User Property |
Mailbox Warning Size (KB) |
mDBStorageQuota |
Message database quota, in KB This field corresponds to the Issue warning at (KB) field on the target system. Default value: Note: If you want to specify a mailbox size receipt quota, then set the value of the Use Storage Defaults field as |
MEXC Update User Property |
Major Business Number |
telephonenumber |
Primary office phone number |
MEXC Update User Property |
Max Incoming Message Size (KB) |
delivContLength |
Maximum incoming message size, in KB |
MEXC Update User Property |
Max Outgoing Message Size (KB) |
submissionContLength |
Maximum outgoing message size, in KB |
MEXC Update User Property |
Max Recipients Per Message |
msExchRecipLimit |
Maximum number of recipients of a single e-mail |
MEXC Update User Property |
Use Storage Defaults |
mDBUseDefaults |
Storage Defaults configuration Default value: true |
MEXC Update User Property |
Mobile Number |
mobile |
Primary mobile phone number |
MEXC Update User Property |
Object GUID |
objectGUID |
GUID based on the current time stamp assigned to an object |
MEXC Get Value From User Process |
Other Business Number |
otherTelephone |
Alternative office phone number |
MEXC Update User Property |
Pager Number |
pager |
Primary pager number |
MEXC Update User Property |
Primary Email |
proxyAddresses |
Primary e-mail address |
MEXC Set Primary Email |
Mail Store Name Note: This is a mandatory field for provisioning. |
homeMDB |
Indicates the mail store and the server name to which the mailbox must be provisioned. This lookup definition is populated after successful reconciliation of mail stores. Note: Although this is a mandatory field, it is not marked as mandatory in the process form. This is done so that the accounts of mail users who do not have a mail store can be reconciled in Microsoft Exchange 2007. |
MEXC Create Mailbox. |
Log On Name This is a mandatory field for provisioning in Microsoft Exchange 2007. |
userPrincipalName |
userPrincipalName of an AD object. During a provisioning operation, you must enter the logon name in the following format:
Note: The domain name in the specified format corresponds to the Microsoft Active Directory domain name. |
MEXC Create Mailbox. |
Figure 1-6 shows the process form fields for this connector.
Figure 1-6 Process Form Fields of the Connector
The following is the organization of information in the rest of the guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to perform provisioning operations and configure reconciliation runs.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Known Issues and Troubleshooting" lists the known issues associated with this release of the connector.
Appendix A, "Special Characters Supported for Alias Name" lists special characters that you can use in the Alias Name field on the target system and Oracle Identity Manager.