Oracle® Identity Manager Connector Guide for Microsoft Active Directory Release 9.0.4 Part Number E10429-10 |
|
|
View PDF |
This chapter provides an overview of the updates made to the software and documentation for the Microsoft Active Directory connector in release 9.0.4.17.
See Also:
The earlier release of this guide for information about updates that were new in that releaseThe updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss updates made from release 9.0.4 to the current release of the connector:
The following are software updates in release 9.0.4.1_6742854:
Support for Lookup Field Reconciliation of Security Groups and Organizations
Separate Scheduled Tasks for Trusted Source and Target Resource Reconciliation
Support for the Application of Native LDAP Queries During Reconciliation
Support for Mapping New Attributes for Reconciliation and Provisioning
The functionality of the scheduled task has been extended to cover lookup field reconciliation of security groups and organizations.
See "Lookup Fields Reconciliation" for more information. See "Lookup Fields Reconciliation Scheduled Task" for information about the scheduled tasks that automate reconciliation of these lookup fields.
The connector now supports the following provisioning operations (functions):
Lock User
Unlock User
Update First Name
Update Last Name
Move Group
See "Supported Functionality" for information about these functions.
Parameters to track the time at which reconciliation runs end have been added to the IT resource. In earlier releases, parameters that used to accept true
and false
now accept yes
and no
.
The isOrgLookupDN
parameter has been added to the IT resource definition. You use this parameter to specify whether DN or relative DN values must be stored in the Lookup.ADReconciliation.Organization
lookup definition during lookup reconciliation.
See "Defining IT Resources" for more information.
These scheduled tasks are discussed in the "User Reconciliation Scheduled Task" section.
From this release onward, the ldapbp.jar
file is the only external code file required for connector operations.
See "Copying the Connector Files and External Code Files" for information about downloading and using this file.
In the earlier release, you specify the query condition for limited reconciliation by using operators that are not native to the target system. You can now specify the query condition using either non-native or native operators. You use the CustomizedReconQuery
and isNativeQuery
attributes of the user reconciliation scheduled task for this purpose.
See "Partial Reconciliation" for more information.
You can map new target system attributes with Oracle Identity Manager attributes for reconciliation and provisioning. See the following sections for more information:
There are no software updates in releases 9.0.4.2 through 9.0.4.4.
The following are issues resolved in release 9.0.4.5:
Bug Number | Issue | Resolution |
---|---|---|
6989471 | An attempt by a user to change a password by using the Forgot Password self-service feature would always fail, even if the user correctly answered the challenge questions. The "Invalid user found" message is displayed as the outcome of this operation. | This issue has been fixed, and you can now change the password by using the Forgot Password feature. |
The following are issues resolved in release 9.0.4.6:
Bug Number | Issue | Resolution |
---|---|---|
6976717 | During a Create User provisioning operation, if you entered a comma in the Full Name field, then the operation would fail. This was because the Full Name field of Oracle Identity Manager was mapped to the cn field of the target system. |
In the AtMap.AD lookup definition, the cn field of the target system has been mapped to the User ID field of Oracle Identity Manager. If required, you can change this mapping in the lookup definition so that the cn field is mapped to a different Oracle Identity Manager field.
See Oracle Identity Manager Design Console Guide for information about modifying lookup definitions. |
There are no software updates in release 9.0.4.7.
There are no software updates in release 9.0.4.8.
There are no software updates in release 9.0.4.9.
The following are issues resolved in release 9.0.4.10:
Bug Number | Issue | Resolution |
---|---|---|
7031943 | Suppose the target system contains two domains that are configured as a parent-child pair. Groups grp1 and grp2 are created on the parent and child domain, respectively. User John Doe is a member of both groups. Through group reconciliation, groups grp1 and grp2 have been created in Oracle Identity Manager.
During user reconciliation, reconciliation of John's record failed because user matching was based on the |
This issue has been resolved. User matching during reconciliation is now based on the DN of the user. Therefore, user reconciliation is successful even when a user is a member of groups on both parent and child Microsoft Active Directory domains. |
The following are issues resolved in release 9.0.4.10.1:
Bug Number | Issue | Resolution |
---|---|---|
7112864 | The name of an OU created in Oracle Identity Manager through reconciliation was converted to lowercase letters. For example, if you created the MyOrg OU in the target system, then the OU created in Oracle Identity Manager through reconciliation was named myorg .
During subsequent user reconciliation runs, the target system OU could not be matched with its corresponding OU in Oracle Identity Manager. Therefore, reconciliation of users belonging to the OU failed. |
This issue has been resolved. The case (uppercase and lowercase) of the name of an OU created in Oracle Identity Manager through reconciliation is the same as the case of the OU name on the target system. |
The following are issues resolved in release 9.0.4.11:
Bug Number | Issue | Resolution |
---|---|---|
7314549 | A provisioning operation failed if you entered the slash character (/) in the Full Name field. | This issue has been resolved. During a provisioning operation, you can now enter the slash character in the Full Name fields. |
The following are issues resolved in release 9.0.4.12:
Bug Number | Issue | Resolution |
---|---|---|
7336488 | During group lookup reconciliation, target system groups were reconciled under a single organization in Oracle Identity Manager. | You can now specify whether each target system group must be reconciled into an organization of its own or all target system groups must be reconciled into a single organization.
To implement this feature, the following attributes have been introduced in the
See "User Reconciliation Scheduled Task" for information about these attributes. |
In addition, Arabic and Danish have been added to the list of supported languages.
The following are issues resolved in release 9.0.4.13:
Bug Number | Issue | Resolution |
---|---|---|
7449155 | During a Create User provisioning operation, if you entered a comma in the Full Name field, then the operation would fail. This was because the Full Name field of Oracle Identity Manager was mapped to the cn field of the target system. |
This issue has been resolved. See "User Provisioning" for information about special characters that are supported in the Full Name field. |
7328972 | During a provisioning operation, a user could not be made a member of a group whose name contained special characters. | This issue has been resolved. See "User Provisioning" for information about special characters that are supported in the Group Name field. |
7320836 | During reconciliation of a large number of records, the reconciliation run would sometimes stop automatically and no error was thrown. In addition, no attempt was made to reestablish the connection to resume the reconciliation run. | This issue has been resolved. The number of records to be reconciled is determined at the start of a reconciliation run. Whenever the connection fails during the reconciliation run, an attempt is made to reestablish the connection and resume reconciliation. This process is repeated until the number of records reconciled is equal to the number of records identified for reconciliation at the start of the run. |
7235815 | Reconciliation of a user record failed if the Full Name field contained commas. | This issue has been resolved. You can now reconcile records even if the Full Name field contains commas. |
7450317 | On the target system, if you do not want to set an expiry date for a user's account, then you enter Never in the Expiry Date field. This action is the same as setting the expiry date to 1-Jan-1970 . Similarly, on Oracle Identity Manager, you leave the Expiry Date process form field empty if you do not want to set an expiry date for the user's target system account.
If the client computer and the target system host are set to different time zones, then the connector converts time stamp values sent from the client computer to GMT-relative time stamp values before storing them in the target system database. This conversion sometimes caused the |
The Target Locale: TimeZone parameter has been added in the IT resource. You use this parameter to specify the time zone of the target system. See "Defining IT Resources" for more information about this parameter. |
7502026 | The following is the format of the time-stamp filter applied to each target system record during reconciliation:
timestamp_record_updated >= last_reconciliation_run_timestamp When this filter was applied, a record that was added or modified at the instant the reconciliation run ended was also reconciled. However, the application of the time-stamp filter caused the same record to be reconciled during the next reconciliation run. |
This issue has been resolved.
The time-stamp filter cannot be changed to the following: timestamp_record_updated > last_reconciliation_run_timestamp As a workaround, one second is added to the time stamp recorded in the IT resource before the filter is applied during a reconciliation run. In other words, the filter is changed to the following: timestamp_record_updated + 1 second >= last_reconciliation_run_timestamp Application of this filter ensures that a record reconciled at the end of a reconciliation run is not reconciled during the next reconciliation run. |
7314549 | A provisioning operation failed if you entered the comma (,) or slash (/) character in the Full Name field. | This issue has been resolved. You can now enter special characters in the Full Name field during provisioning operations. |
The following are issues resolved in release 9.0.4.14:
Bug Number | Issue | Resolution |
---|---|---|
7509116 | The following problem was observed in earlier releases if you used this connector in conjunction with the password synchronization module:
You created a custom attribute in Microsoft Active Directory to track password changes that came from Oracle Identity Manager. This attribute did not work. |
This issue has been resolved. The custom attribute that is created in Oracle Identity Manager when you deploy this patch set captures password change events originating from both Microsoft Active Directory and Oracle Identity Manager. You do not have to create a custom attribute in Microsoft Active Directory.
Note: For information about implementing this solution, see the release 9.0.4.14 readme for the password synchronization module. |
7449155 | If a target system record contained a comma in the cn field, then the organization name was not correctly reconciled. | This issue has been resolved. See "User Provisioning" for information about supported special characters. |
In the "Known Issues" chapter, the following point has been added:
Bug 7612861
The following tasks of the Create User provisioning operation fail if the last name specified ends in a comma (,):
User must change password at next logon Updated
Password never expires Updated
The following is a software update in release 9.0.4.15:
From this release onward, you can use an LDAP query to specify the groups that must be reconciled. You specify the LDAP query as the value of the CustomizedGroupReconQuery
attribute of the ActiveDirectoryReconTask
scheduled task. See "CustomizedGroupReconQuery Attribute" for information about this attribute.
The following are issues resolved in release 9.0.4.16:
Bug Number | Issue | Resolution |
---|---|---|
7719525 and 7685400 | The connector did not support reconciliation or provisioning of multivalued attributes. | This issue has been resolved. The connector now supports reconciliation and provisioning of multivalued attributes.
To enable provisioning of multivalued attributes, the To enable reconciliation of multivalued attributes, the See "User Reconciliation Scheduled Task" for more information about this attribute. In addition, you can now add new multivalued fields for reconciliation and provisioning. See the following sections for more information: |
7722041 | The connector could not be installed on Oracle Identity Manager release 9.0.3.x. | This issue has been resolved. The connector can now be installed on Oracle Identity Manager release 9.0.3.x and later releases. |
8216540 | A case-sensitive check was performed on attribute names in the Code Key column of the Lookup.ADReconciliation.FieldMap lookup definition. If the case (uppercase or lowercase) of an attribute name did not match the case of the attribute name on the target system, then reconciliation failed. |
This issue has been resolved.
A case-sensitive check is not performed on attribute names in the |
8236103 | During trusted source reconciliation, the Email ID field of the Xellerate User was not updated. |
This issue has been resolved. The Email ID field of the Xellerate User is now updated during trusted source reconciliation. |
The following are issues resolved in release 9.0.4.17:
Bug Number | Issue | Resolution |
---|---|---|
8420393 | During a group reconciliation run, only a maximum of 1000 groups could be reconciled. | This issue has been resolved. You can now reconcile more than 1000 groups during the same reconciliation run.
In addition, you can reconcile group records in which each group has more than 1000 members. Similarly, you can reconcile user records in which each user contains more than 1000 entries for multivalued attributes. For example, you can reconcile the record of a user who is a member of more than 1000 groups. The EnableRange attribute has been introduced to enable the reconciliation of user and group records that contain more than 1000 entries. |
The following documentation-specific updates have been made in releases 9.0.4.1 through 9.0.4.17:
In the following sections, the version of one of the external JAR files has been changed from ldapsdk-4.17.jar
to ldapsdk-4.1.jar
:
In the "User Reconciliation Scheduled Task" section, the description of the Object
attribute has been modified.
In the "Known Issues" chapter, the following point has been added:
If you modify the group membership of a user (assign to or unassign from a group) in Microsoft Active Directory, this change in group membership is not reconciled into Oracle Identity Manager during the next reconciliation run. This is because group membership changes cannot be detected by the reconciliation scheduled task. This known issue will be addressed in a future release of Oracle Identity Manager.
In the "User Reconciliation" section, the list of fields reconciled during target resource and trusted source reconciliation have been added.
Microsoft Windows 2000 is no longer a supported host for the target system. All occurrences of "Microsoft Windows 2000" have been removed from this guide.
In the "Verifying Deployment Requirements" section, changes have been made in the "Target systems" row.