Oracle® Identity Manager Connector Guide for UNIX SSH Release 9.0.4 Part Number E10447-06 |
|
|
View PDF |
This chapter provides an overview of the updates made to the software and documentation for the UNIX SSH connector in release 9.0.4.7.
See Also:
The earlier release of this guide for information about updates that were new for that releaseThe updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss updates made from release 9.0.4 to the current release of the connector:
The following are software updates in release 9.0.4.2:
In Step 2 of the "Installing and Configuring SUDO" section for Solaris, the usermod
command has been added to the list of commands used by the target system.
In the "Enabling Logging" section, the name of the adapter for this connector has been changed from ADAPTERS.TELNETSSH
to OIMCP.TELNETSSH
.
In the "Compiling Adapters" section, the SSH updateHomeDir
adapter has been added to the list of adapters.
In the IT resource definition, the following parameters have been removed:
Login Prompt
Password Prompt
Target Locale
Supported Character Encoding (en_US) – Target
The following scheduled task attributes have been converted into IT resource parameters:
Passwd Mirror File/User Mirror File
Shadow Mirror File
Target Date Format
The following table lists issues resolved in release 9.0.4.2:
Bug Number | Issue | Resolution |
---|---|---|
6375896 | Target resource reconciliation threw exceptions when users were reconciled from Linux using a SUDO admin user. | Target resource reconciliation issues related to Linux used in the SUDO mode have been resolved. |
6609731 | The Supported Character Encoding and Target Locale IT resource parameters were not used by the connector. |
The Supported Character Encoding and Target Locale IT resource parameters have been removed. |
6642345 | The connection retry feature of the connector was not working correctly. | Issues related to the connection retry feature have been resolved. |
6680047 | If a connection retry attempt was made, then previous sessions were not released and new sessions were established each time. | Connectivity issues related to session leakage have been resolved. |
6728741 | An incorrect response was received from the connector if the username value was greater than 8 characters and the Create Home directory check box was checked. | The responses received from the connector have been corrected. |
6742869 | A user could not be provisioned if there were spaces in value of the GECOS field. | Spaces are now allowed in the GECOS field. |
6766705 and 6801405 | The status of the resource object stayed at Provisioned even when provisioning tasks were rejected. |
Issues related to the resource object status and response during provisioning have been resolved. |
6786399 | The connector was unable to handle responses from target systems running a non-English locale. | Responses from target systems running a non-English locale are now handled correctly. |
6801537 | During reconciliation, temporary files were created in the /etc directory. |
During reconciliation, temporary files are now created in the /tmp folder. |
6837471 | A user could not be provisioned with spaces in the values of any of the user attributes. | Spaces are now allowed in many of the user attributes. |
5180204 | On AIX computers, the connector was not able to reconcile a large number of records. | Issues related to the reconciliation of a large number of users on AIX have been resolved. |
5502324 | Date format parsing errors were encountered during reconciliation. | The date format parsing error that was encountered during the user reconciliation has been resolved. |
5503100 | The message displayed when the user name had multibyte characters during a Create User provisioning operation was incorrect. | The message displayed when the user name has multibyte characters during a Create User provisioning operation has been modified. |
5647992 | On Linux, Solaris, and AIX computers, the Home Directory attribute could not be updated. | The Home Directory attribute is updated correctly on Linux, Solaris, and AIX targets. |
5180227 | The IT Resources contained two redundant parameters, Login Prompt and Password Prompt . |
The Login Prompt and Password Prompt IT resource parameters have been deleted. |
6604117 | The Password and Confirm Password fields on the process form were not encrypted. | The Password and Confirm Password fields have been modified to accept encrypted values. |
6310073 | During provisioning, if user creation on the target system failed at some stage, then the user was not cleaned up from the target system although the status of the resource was Provisioning . When this happened, another user with the same name could not be provisioned. |
During provisioning, if the user is not created properly on the target, then the user is deleted from the target system and the resource object status is set to Provisioning . |
The following are software updates in release 9.0.4.3:
The Primary Group Name
field on the process form has been converted into a lookup field. During a provisioning operation, you can now select a primary group instead of entering the name of the group. The TelnetSSHGroupLookupReconTask
scheduled task has been added to reconcile (synchronize) the values in the lookup definition with primary group names in the target system.
The name of the target resource reconciliation scheduled task has been changed from SSH User Non Trusted Reconciliation task
to SSH Target Resource User Reconciliation Task
.
The level of detail has been increased for data logged when you set the log level to DEBUG
. With this log level, it is now easier to track down the cause of an error recorded in the log file.
The following table lists issues resolved in release 9.0.4.3:
Bug Number | Issue | Resolution |
---|---|---|
7121688 | On AIX 5.3, the SSH_USERUID_SIZE_FAIL or SSH_USER_FAIL exception was thrown if you tried to update the User Login attribute through a provisioning operation. |
This issue has been resolved. You can now update the User Login attribute through a provisioning operation.
Note: The Update User Login provisioning operation is not supported by default on AIX 4.x and 5.1. However, if you upgrade these versions of AIX to support the useradd, usermod, and userdel commands, then you can perform the Update User Login provisioning operation. |
7143460 | During a reconciliation run on AIX, the ArrayIndexOutofBounds exception was thrown if the number of deleted records fetched from the target system was more than the number of newly created or updated records fetched from the target system. |
This issue has been resolved. An exception is not thrown if the number of deleted records fetched from the target system is more than the number of newly created or updated records fetched from the target system. |
7143486 | If a reconciliation run ended in an exception, then the connection with the target system was not closed. | This issue has been resolved. The connection with the target system is closed even if a reconciliation run ends in an exception. |
The following are software updates in release 9.0.4.4:
From Oracle Identity Manager release 9.1.0 onward, the Administrative and User Console provides the Connector Installer feature. This feature can be used to automate the connector installation procedure.
See "Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later" for details.
The following are software updates in release 9.0.4.5:
In earlier releases, you had to provide the credentials of the root or sudo user for letting Oracle Identity Manager communicate with the Solaris target system. This release supports the role-based access control (RBAC) feature of Solaris. From this release onward, Oracle Identity Manager can communicate with Solaris by using a user account to which you assign the minimum required privileges.
See "Creating a Target System User Account for Connector Operations" for more information.
The following are some of the changes made in the IT resource:
The Whether SUDO Admin Mode
parameter has been renamed to Sudo Or RBAC
.
Descriptions of the Admin UserId
and Admin Password/Private file Pwd
parameters have been modified.
The RBAC Role Name
and RBAC Role Passwd
parameters have been added.
See the "Deploying the Connector" chapter for information about these parameters.
The following table lists issues resolved in release 9.0.4.5:
Bug Number | Issue | Resolution |
---|---|---|
5503263 | The "Create Home Directory" field is a check box on the Administrative and User Console. If you selected this check box, the numeral 1 was displayed on the page that summarizes input you provide during provisioning operations. | The check box has been changed to a radio button. If you select the "Create Home Directory" option, then the word "Yes" is displayed on the page that summarizes input. If you do not select the option, then the word "No" is displayed. |
7133380 | A user for whom an SSH account was created on AIX through a provisioning operation was forced to change the password at first login. | Password change at first login is not enforced for newly created SSH accounts on AIX. |
7225692 | To stop a scheduled task, you use the Stop Execution option in the Design Console. This option did not work in earlier releases. | You can now use the Stop Execution option to stop scheduled tasks.
Note: When you stop a batched reconciliation run, reconciliation stops at the end of the batch being reconciled. |
7345302 | During a provisioning operation, the home directory was not created if you specified an invalid path on the target system host computer. However, the status of the process task was Completed. | If an invalid home directory path is specified, then the "Invalid Home directory" error message is displayed on the Administrative and User Console. |
7347256 | An error was thrown when a user connected to an HP-UX target system was updated through a provisioning operation performed on Oracle Identity Manager. The response from the target system was not correctly parsed and displayed as an error message on the Administrative and User Console. | The "User currently in use" message is displayed if you try to update any attribute of a user who is currently logged in to the target system. |
The following table lists issues resolved in release 9.0.4.6:
Bug Number | Issue | Resolution |
---|---|---|
7478452 | You use the IT resource to specify the credentials of the SUDO user that you want to use for connector operations. If this SUDO user did not have the required permissions, then the target system did not allow you to perform Disable User provisioning operations. This is expected behavior. However, the status of the user was set to Disabled on Oracle Identity Manager even though the status of the user on the target system remained unchanged. | This issue has been resolved. If the SUDO user does not have the permissions required to disable users on the target system, then an appropriate message is displayed on the Administrative and User Console. |
7503701 | The target system does not allow you to delete a user who is logged in to the system. This is expected behavior. However, even when the target system did not allow the deletion of a user, the status of the user (resource) on Oracle Identity Manager was changed to Deleted (Revoked). | This issue has been resolved. If the target system does not allow the deletion of a user, then an appropriate message is displayed as the outcome of the Delete User provisioning operation.
The item describing this issue has been removed from the "Known Issues" chapter. |
The following are software updates in release 9.0.4.7:
From this release onward, the connector adds support for Oracle Enterprise Linux 5.2 as a target system.
This target system is mentioned in "Verifying Deployment Requirements".
The following table lists issues resolved in release 9.0.4.7:
Bug Number | Issue | Resolution |
---|---|---|
7520249 | During reconciliation, you could not transform values of the target system field before they were stored in Oracle Identity Manager. | This issue has been resolved. You can now transform the values of the target system fields before they are stored in Oracle Identity Manager.
See the "Transforming Data Reconciled Into Oracle Identity Manager" chapter in the connector guide for more information. |
7563415 | During reconciliation, the Group Name field was reconciled as a number and not as the exact name because it was stored directly as the group ID in the target system. | This issue has been resolved. During reconciliation, the exact name of the Group Name field is reconciled. |
8341984 | In the Create User process task, the default value of the Map To variable was IT Resource. This value was incorrect. | This issue has been resolved. The Map To variable in the Create User process task displays the correct default value. The default value of Map To variable is now Process Data . |
8396795 | During connector deployment, the lib/xliSSH.jar file on the installation media was not automatically copied into the OIM_HOME/xellerate/ScheduleTask directory. | This issue has been resolved. The lib/xliSSH.jar file is now automatically copied to the OIM_HOME/xellerate/ScheduleTask directory. |
The following sections discuss documentation-specific updates made from release 9.0.4 to the current release of the connector:
The following documentation-specific updates have been made in releases 9.0.4.1 through 9.0.4.4:
Changes have been made in the following sections:
In the "Known Issues" chapter, the following items have been added:
"The Update User Login function is not supported on most versions of AIX."
A reconciliation run stops if the scheduled task code encounters target system user data containing the character or characters that are same as the shell prompt of the target system.
From the "Known Issues" chapter, the following item has been removed:
When you configure an IT resource for an SSH user account and then directly provision it to a user, the Create User Task function is rejected. The user account is not created on the target system. The following message is displayed:
"SSH_USERCREATION_NOTCONNECTED_FAIL not able to connect successfully to the Target System Server
".
The following are documentation-specific updates in release 9.0.4.5:
In the "Deploying the Connector" chapter, the Protocol
parameter has been added in the table that describes the IT resource parameters.
In the "Known Issues" chapter:
Bug numbers have been added for all the known issues.
The following guidelines have been moved from the "Known Issues" chapter to other parts of this guide:
This connector does not support logins that differ by case only. It also requires all logins to be distinct considering that their values are automatically converted to uppercase by Oracle Identity Manager.
For example, the user logins jdoe
and JDOE
would be considered different on a UNIX server. However, from Oracle Identity Manager, the input would always be passed as JDOE
, because user ID values are stored only in uppercase in Oracle Identity Manager.
During provisioning, the maximum permitted date value for account expiry is 31/12/2099.
The following point has been removed from the "Known Issues" chapter:
The Update Secondary Group Names and Update User Login functions do not work simultaneously.
At some places in this guide, corrections have been made to address some documentation issues.
The following are documentation-specific updates in release 9.0.4.7:
Changes have been made in the following sections:
Section 3.4, "Transforming Data Reconciled Into Oracle Identity Manager" has been added
The following point has been removed from the "Known Issues" chapter:
During reconciliation, the Group Name field is reconciled as a number and not as the exact name because it is stored directly as the group ID in the target system.
The following appendixes have been added:
In the "Verifying Deployment Requirements" section, changes have been made in the "Target systems" row.