1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with Microsoft Active Directory.

Note:

Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.

This chapter contains the following sections:

Reconciliation Module
Provisioning Module
Supported Functionality
Multilanguage Support
Files and Directories on the Installation Media
Determining the Release Number of the Connector

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, Microsoft Active Directory has been referred to as the target system.

1.1 Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

1.1.1 Lookup Fields Reconciliation

To populate the Lookup.ADReconliation.GroupLookup lookup definition, the following fields of AD Groups are reconciled:

sAMAccountName
objectGUID

To populate the Lookup.AD.PrimaryGroupList lookup definition, the following fields of AD Primary Groups are reconciled:

sAMAccountName
primaryGroupToken

To populate the Lookup.ADReconciliation.Organization lookup definition, the following field of AD Organizations is reconciled:

distinguishedName

1.1.2 Group Reconciliation

The reconciliation module extracts the following elements from the target system to construct AD Group reconciliation event records:

sAMAccountName
objectGUID
Organization Name
instanceType
cn

1.1.3 User Reconciliation

Fields that are mapped for reconciliation depend on the type of reconciliation that you configure:

Reconciled Resource Object Fields

If you configure the connector for target resource reconciliation, then the following fields are reconciled:

Note:

You can map other fields of the target system for reconciliation. Instructions are provided later in this guide.

sAMAccountName

Note:
The sAMAccountName field must be reconciled from the target system during user reconciliation.
objectGUID
name
memberOf
sn
cn
Initials

Reconciled Xellerate User Fields

If you configure the connector for trusted source reconciliation, then the following fields are reconciled:

User Login (mandatory field)
First Name (mandatory field)
Last Name (mandatory field)
Xellerate Type (mandatory field)
Organization Name (mandatory field)
Middle Name
Role
Password
Start Date
End Date
Email
Status

1.2 Provisioning Module

Provisioning involves creating or modifying a user's access rights on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operations.

1.2.1 Organization Provisioning

The following fields are provisioned:

USN Create
USN Change
objectGUID
Organization Name

This is the value of the Name field in the Create Organization form of the Oracle Identity Manager Administrative and User Console.

1.2.2 Group Provisioning

The following fields are provisioned:

Group Name
Organization Name
objectGUID
Group Type
Group Display Name

1.2.3 User Provisioning

The following fields are provisioned:

User ID

Note:
Microsoft Active Directory restricts the number of characters in the user ID field to 20 characters. Therefore, while provisioning a user through Oracle Identity Manager, you must not enter more than 20 characters in this field.
Password
objectGUID
Organization Name
First Name
Last Name
Middle Name
User Must Change Password at Next Logon
Password Never Expires
Account Expiration Date
Full Name
Group Name

The following table lists special characters that are supported in process form fields:

Note:

The following special characters are not supported in process form fields:

Single quotation mark (')
Double quotation mark (")

Name of the Character	Character
ampersand	&
asterisk	*
at sign	@
caret	^
comma	,
dollar sign	$
equal sign	=
exclamation point	!
hyphen	-
left brace	{
left bracket	[
left parenthesis	(
number sign	#
percent sign	%
period	.
plus sign	+
question mark	?
right brace	}
right bracket	]
right parenthesis	)
slash	/
underscore	_

1.3 Supported Functionality

The following table lists the functions that are available with this connector.

Function	Type	Description
Create User	Provisioning	Creates a user
Move User	Provisioning	Moves a user from one organization to another
Delete User	Provisioning	Deletes a user
Enable User	Provisioning	Enables a disabled user
Disable User	Provisioning	Disables a user
Get Organization USN	Provisioning	Retrieves the USN of an organization
Create Organization	Provisioning	Creates an organization
Get Organization USN Changed	Provisioning	Retrieves the USN of an organization after an update
Delete Organization	Provisioning	Deletes an organization
Get User objectGUID	Provisioning	Retrieves the objectGUID of a user
User Must Change Password at Next Logon Updated	Provisioning	Updates a user's profile according to a change in the User Must Change Password at Next Logon attribute
Set Account Expiration Date	Provisioning	Updates a user's profile according to a change in the Account Expiration Date attribute
Password Never Expires Updated	Provisioning	Updates a user's profile according to a change in the Password Never Expires attribute
Update User ID	Provisioning	Updates a user's profile according to a change in the User ID attribute
Add User to Group	Provisioning	Adds a user to a group
Remove User from Group	Provisioning	Removes a user from a group
Create AD Group	Provisioning	Creates an AD group
Delete AD Group	Provisioning	Deletes an AD group
Update Group Name	Provisioning	Updates an AD group name
Get Group objectGUID	Provisioning	Retrieves the objectGUID of a group
Lock User	Provisioning	Locks the user
Unlock User	Provisioning	Unlocks the user
Update First Name	Provisioning	Updates a user's profile according to a change in the First Name attribute
Update Last Name	Provisioning	Updates a user's profile according to a change in the Last Name attribute
Move Group	Provisioning	Moves a group from one organization to another
Trusted Reconciliation for User	Reconciliation	Creates OIM User accounts corresponding to reconciled Microsoft Active Directory accounts
Create User	Reconciliation	Reconciles Microsoft Active Directory accounts
Create Organization	Reconciliation	Creates organizations along with users in Oracle Identity Manager corresponding to reconciled Microsoft Active Directory accounts (and their root organizations)
Create Group	Reconciliation	Creates groups along with users in Oracle Identity Manager corresponding to reconciled Microsoft Active Directory accounts (and their parent groups)

1.4 Multilanguage Support

The connector supports the following languages:

Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

1.5 Files and Directories on the Installation Media

The files and directories on the installation media are listed in the following table:

File in the Installation Media Directory	Description
lib/xliActiveDirectory.jar	This JAR file contains the class files required for provisioning.
lib/xliADRecon.jar	This JAR file contains the class files required for reconciliation.
Files in the `resources` directory	Each of these resource bundle files contains language-specific information that is used by the connector. Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
scripts/install.bat	This batch file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a Microsoft Windows operating system.
scripts/install.sh	This file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a UNIX-based system.
test/config/config.properties	This file is used to set input test data for the connector test suite.
test/lib/xliADTest.jar	This JAR file contains the class files required for the connector test suite.
test/scripts/runADTest.bat	This file is used to run a test using the connector test suite.
xml/xliADResourceObject.xml	This XML file contains definitions for the connector components related to reconciliation and provisioning. These components include: All resource objects for reconciliation and provisioning IT resource types Custom process forms Process task and adapters (along with their mappings) Login resource objects Provisioning process Pre-populate rules
xml/xliADXLResourceObject.xml	This XML file contains the configuration for the objects, such as Xellerate User (OIM User) and Xellerate Organization, which are specific to trusted sources. You must import this file only if you plan to use the connector in trusted source reconciliation mode.

Note:

The files in the test directory are used only to run tests on the connector.

The "Copying the Connector Files and External Code Files" section provides instructions to copy these files into the required directories.

1.6 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

In a temporary directory, extract the contents of the following JAR file:
```
OIM_HOME/xellerate/JavaTasks/xliActiveDirectory.jar
```
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliActiveDirectory.jar file.

In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.