Skip Headers
Oracle® Identity Manager Connector Guide for Microsoft Active Directory User Management
Release 9.1.1

Part Number E11197-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

What's New in Oracle Identity Manager Connector for Microsoft Active Directory User Management?

This chapter provides an overview of the updates made to the software and documentation for release 9.1.1 of the Microsoft Active Directory User Management connector.

The updates discussed in this chapter are divided into the following categories:

Software Updates

The following software updates have been made in this release of the connector:

Software Updates in Release 9.1.0

The following are issues resolved in release 9.1.0:

Support for Microsoft ADAM

The connector can be used to integrate both Microsoft Active Directory and Microsoft Active Directory Application Mode (ADAM) with Oracle Identity Manager.

Information specific to the Microsoft ADAM has been provided at various places in this guide.

Introduction of the Connector Installer

You can now install the connector by using the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

See "Running the Connector Installer" for more information.

Introduction of Organization Reconciliation

In the trusted source reconciliation mode, the connector can be configured to reconcile details of organizations on the target system. The AD Organization Recon scheduled task has been introduced to automate organization reconciliation.

See the following sections for more information:

Introduction of Organization Lookup Synchronization

In the target resource mode, the connector can be configured to fetch the names of organizations on the target system and populate a lookup definition in Oracle Identity Manager.

See "Scheduled Tasks for Lookup Field Synchronization" for more information.

Introduction of Scheduled Task for Reconciliation of Deleted User Records

The connector can be configured to reconcile deleted user data in both account management (target resource) and identity reconciliation (trusted source) modes. The AD User Target Delete Recon and AD User Trusted Delete Recon scheduled tasks have been introduced to automate this process.

See the following sections for more information:

Introduction of Separate Scheduled Tasks for Target Resource and Trusted Source Reconciliation of User Records

In earlier releases, the same scheduled task was used for target resource and trusted source reconciliation. In this release, the following scheduled tasks have been introduced:

Support for the Diagnostic Dashboard

In addition to support for the traditional testing utility, this connector supports the Diagnostic Dashboard. You can use this tool to test basic functionality of the connector.

See "Using the Diagnostic Dashboard" for more information.

Support for Provisioning Users to User-Defined Object Classes

By default, the target system uses the user object class. You can use the Lookup.AD.Configuration lookup definition to include user-defined object classes on the target system in reconciliation and provisioning operations.

See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.

Support for Deprovisioning of Users That Have Associated Leaf Nodes on the Target System

A user on the target system can have other users defined as its leaf nodes. You can configure the connector to perform one of the following actions when the user is deleted on Oracle Identity Manager:

This feature is implemented through the isUserDeleteLeafNode parameter of the IT resource for the target system. See "Configuring the IT Resource for the Target System" for information about this parameter.

Support for the Application of Native LDAP Queries During Reconciliation

In the earlier release, you specify the query condition for limited reconciliation by using operators that are not native to the target system. You can now specify the query condition using either non-native or native operators.

See "Limited Reconciliation vs. Regular Reconciliation" for more information.

Support for High-Availability Configuration of the Target System

The connector can be configured for compatibility with high-availability target system environments. It can read information about backup target system hosts from the Lookup.AD.BackupServers lookup definition and apply this information when it is unable to connect to the primary host.

See "Configuring High Availability of the Target System" for more information.

Support for Terminal Services Profile Fields of the Target System

In the target resource mode, a Remote Manager can be used in conjunction with the connector to enable reconciliation from and provisioning to the Terminal Services fields of the target system. In addition, you can add Environment, Remote Control, and Sessions fields for reconciliation and provisioning.

See the following sections for more information:

Support for Multivalued (Child) Data Field Mapping

You can add both single-valued and multivalued fields for target resource reconciliation and provisioning.

See the following sections for more information:

Support for Multiple Trusted Source Reconciliation

This connector supports the Multiple Trusted Source Reconciliation feature of Oracle Identity Manager release 9.1.0 and later. See "Configuring the Connector for Multiple Trusted Source Reconciliation" for more information.

Support for the E-Mail Redirection Feature in Microsoft Active Directory

You can use the E-mail Redirection feature to specify an alternative (redirection) e-mail address for a user. E-mail sent to the user is automatically directed to the account specified by the redirection e-mail address.See "Guidelines on Performing Provisioning Operations" for more information.

Software Updates in Release 9.1.0.1

The following are software updates in release 9.1.0.1:

Reconciliation of Manager IDs During Trusted Source Reconciliation

You can now enable the reconciliation of manager IDs from the target system during trusted source reconciliation. Manager ID values are stored in the Manager Login field of the OIM User form.

Issues Resolved in Release 9.1.0.1

The following are issues resolved in release 9.1.0.1:

Bug Number Issue Resolution
7235815 Reconciliation of a user record failed if the Full Name field contained commas. This issue has been resolved. You can now reconcile records even if the Full Name field contains commas.
7314549 and 7408391 A provisioning operation failed if you entered the comma (,) or slash (/) characters in the Full Name field. This issue has been resolved. You can now enter special characters in the Full Name field during provisioning operations.
7324176 If the MaintainHierarchy attribute was set to yes, then the value specified for the User Search Base attribute had to be an OU (of the form ou=abc,dc=...). If the value of the User Search Base attribute was a domain controller name (of the form dc=xyz,dc=com), then organization hierarchy was not maintained during reconciliation. This issue has been resolved. Organization hierarchy can be maintained during reconciliation even if the value of the User Search Base attribute is a domain controller name. For more information, see the description of the Search Filter attribute in "AD Organization Recon".
7448615 During target resource reconciliation, if no match was found between a particular target system record and any existing OIM Users, then the RowIndexOutBounds exception was thrown. This issue has been resolved. If no match is found, then an error message is recorded in the log file and reconciliation continues.
7450317 On the target system, if you do not want to set an expiry date for a user's account, then you enter Never in the Expiry Date field. This action is the same as setting the expiry date to 1-Jan-1970. Similarly, on Oracle Identity Manager, you leave the Expiry Date process form field empty if you do not want to set an expiry date for the user's target system account.

If the client computer and the target system host are set to different time zones, then the connector converts time stamp values sent from the client computer to GMT-relative time stamp values before storing them in the target system database. This conversion sometimes caused the 1-Jan-1970 value to be changed to 31-Dec-1969. When this happened, the user account was created and disabled at the same time.

This issue has been resolved. If you do not specify a value in the Expiry Date process form field, then the time zone part of the time stamp value is set to GMT (that is, GMT+00:00). Time zone conversion does not take place before the date value is stored in the target system database.

See Bug 7518734 in the "Known Issues" chapter for information about a limitation related to this fix.

7328972 During a provisioning operation, a user could not be made a member of a group whose name contained special characters. This issue has been resolved. See Table 1-9 for information about special characters that are supported in the Group Name field.
7320836 During reconciliation of a large number of records, the reconciliation run would sometimes stop automatically and no error was thrown. In addition, no attempt was made to reestablish the connection to resume the reconciliation run. This issue has been resolved. The number of records to be reconciled is determined at the start of a reconciliation run. Whenever the connection fails during the reconciliation run, an attempt is made to reestablish the connection and resume reconciliation. This process is repeated until the number of records reconciled is equal to the number of records identified for reconciliation at the start of the run.

Software Updates in Release 9.1.1

The following are software updates in release 9.1.1:

Microsoft Active Directory 2008 Added to the List of Certified Target Systems

From this release onward, Microsoft Active Directory 2008 installed on Microsoft Windows Server 2008 with SP2 and later service packs has been added to the list of certified target systems. This has been mentioned in the "Certified Deployment Configurations" section.

Change in the Oracle Identity Manager Requirement

From this release onward, Oracle Identity Manager release 9.1.0.1 is the minimum supported Oracle Identity Manager release. This is mentioned in the "Certified Deployment Configurations" section.

Updates Related to Changes in the Architecture of the Password Synchronization Connector

The architecture of the password synchronization connector has been completely overhauled in release 9.1.1. The following changes have been made in the IT resource:

See "Configuring the IT Resource for the Target System" for more information.

Support for Group Provisioning

From this release onward, the connector supports group provisioning operations. The following changes have been made:

The AtMap ADGroup parameter has been added in the IT resource. This parameter holds the name of the lookup definition that stores group field mappings between Oracle Identity Manager and the target system. These field mappings are listed in the "Group Fields for Provisioning" section.

Support for Reconciliation of Group Data

From this release onward, the connector supports reconciliation of group data. The AD Group Recon scheduled task is used to automate reconciliation of group data.

See the following sections for more information:

Linking of Entries Stored in Lookup Definitions with Target System Installations

From this release onward, the IT resource name is added as a prefix to values stored in lookup definitions that are synchronized with the target system. During a provisioning operation, lookup fields are populated with values corresponding to the target system installation that you select for the operation.

See "Lookup Fields Used During Connector Operations" for more information.

Support for Specifying a User Principal Name Value

The UPN Domain parameter has been added in the IT resource. You can use this parameter to specify the domain for users. In addition, the User Principal Name field has been added on the process form. This is a mandatory field. See "Configuring the IT Resource for the Target System" for more information.

Support for Creating Copies of the Connector

The AD.Parameters lookup definition has been renamed to "Lookup.AD.Configuration." In addition, new entries that hold the names of the process form and the process form fields used for matching user records have been added in this lookup definition. If you create a copy of the process form, then you can specify details of the new process form in the copy of the Lookup.AD.Configuration lookup definition. This feature enables you to create multiple copies of the connector without making code-level changes.

See the following sections for more information:

No Support for Native Queries

You use the Query attribute of the user reconciliation scheduled tasks to specify the query condition that must be applied during reconciliation. In earlier releases, you used the isNativequery attribute to specify that the query condition was in native LDAP format. From this release onward, you can use only native LDAP queries. The Use Native Query attribute has been removed from the scheduled tasks.

See "Limited Reconciliation vs. Regular Reconciliation" for more information.

Introduction of the Lookup.AD.Constants Lookup Definition

The Lookup.AD.Constants lookup definition stores the constants and variables defined in the Java classes that constitute the connector.

Caution:

You must not change any entry in the Lookup.AD.Constants lookup definition. If you change any entry, then the connector will not function correctly.

The name of this lookup definition is specified as the value of the Constants Lookup Code Key in the Lookup.AD.Configuration lookup definition.

Addition of the Search Base, Search Filter, and Search Scope Attributes in All the Scheduled Tasks

From this release onward, you can specify the subset of records that must be reconciled from the target system. The Search Base, Search Filter, and Search Scope attributes have been added in all scheduled tasks except the scheduled tasks for reconciliation of deleted users. See "Reconciliation Scheduled Tasks" for more information.

Issues Resolved in Release 9.1.1

The following are issues resolved in release 9.1.1:

Bug Number Issue Resolution
Bugs 7489859 and 7455700 The cn value of a user could not be changed through a provisioning operation on Oracle Identity Manager. This issue has been resolved. The Common Name field has been introduced on the process form. This field is mapped to the cn field of the target system. Like the Full Name field, the Common Name field is populated with a value in the following format:

FIRST_NAME MIDDLE_NAME LAST_NAME

For example:

John Joseph Doe

You can modify this field through provisioning operations.

This field has been added for both Microsoft Active Directory and ADAM.

See the following sections for more information:

5404679 If a user was a member of more than 1000 groups, then the user could not be reconciled. This issue can be resolved by changing the value of the MaxValRange parameter on the target system.
7673487 You could not create and use a new process form. You could only use the predefined process form. This issue has been resolved. The Lookup.AD.Configuration lookup definition has been extended to include the following entries:
  • ROFormName

  • ROUserGUID

  • ROUserID

  • ROUserManager

If you create a process form, then you must provide values for these entries. See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.

7336488 You could not specify the Oracle Identity Manager organization into which you wanted to reconcile group records.

Note: This issue was encountered in an earlier patch release of the connector in which group data reconciliation had been implemented.

This issue has been resolved. The following attributes have been included in the AD Group Recon scheduled tasks:
  • Use Organization Name

  • Organization Name

See "AD Group Recon" for more information.

7693562 and 8205269 During provisioning operations, the Organization Name field is populated with values from the Lookup.ADReconciliation.Organization lookup definition. In the earlier release, instead of Decode values, Code Key values were displayed in the Organization Name field on the Administrative and User Console. This issue has been resolved. Decode values of the lookup definition are displayed during provisioning operations.
8269888 You use the LdapUserDNPrefix entry in the Lookup.AD.Configuration lookup definition to specify the LDAP attribute for forming the relative DN or user account DN. This DN value forms the logon attribute for creating the user.

In the earlier release, this feature did not work if you changed the value from cn to any other attribute.

This issue has been resolved. You can now change the value of the LdapUserDNPrefix parameter from cn to any other attribute. See "Configuring the Lookup.AD.Configuration Lookup Definition" for information about the LdapUserDNPrefix parameter.
8222203 Suppose you provisioned a Microsoft Active Directory resource to an OIM User and then changed the user ID of the account on the target system. During the next reconciliation run, no match was found with the resource on Oracle Identity Manager. This issue has been resolved. The reconciliation rule for target resource reconciliation has been modified so that the objectGUID of the account on the target system is first compared with the objectGUID of the resource on Oracle Identity Manager. See "Reconciliation Rules for Target Resource Reconciliation" for more information.
7668437 The Disable User provisioning operation failed if the Full Name field contained the slash (/) character. This issue has been resolved. The Disable User provisioning operation works even if the Full Name field contains the slash (/) character.
7540967 The following is the format of the time-stamp filter applied to each target system record during reconciliation:

timestamp_record_updated >= last_reconciliation_run_timestamp

When this filter was applied, a record that was added or modified at the instant the reconciliation run ended was also reconciled. However, the application of the time-stamp filter caused the same record to be reconciled during the next reconciliation run.

This issue has been resolved.

The time-stamp filter cannot be changed to the following:

timestamp_record_updated > last_reconciliation_run_timestamp

As a workaround, one second is added to the time stamp recorded in the IT resource before the filter is applied during a reconciliation run. In other words, the filter is changed to the following:

timestamp_record_updated + 1 second >= last_reconciliation_run_timestamp

Application of this filter ensures that a record reconciled at the end of a reconciliation run is not reconciled during the next reconciliation run.

7384799 During a Create User provisioning operation, if you specified a group to which you wanted to assign the user, then the provisioning operation failed. This issue has been resolved. You can now specify the group to which you want to assign a user during a provisioning operation.
7320836 Target resource reconciliation in batched mode stopped prematurely, even though no error was encountered. This issue has been resolved.

Documentation-Specific Updates

The following sections discuss documentation-specific updates:

Documentation-Specific Updates in Releases 9.1.0 and 9.1.0.1

Major changes have been made in the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usabiliy of information provided by the guide.

See "Roadmap for Deploying and Using the Connector" for detailed information about the organization of content in this guide.

Documentation-Specific Updates in Release 9.1.1

The following are documentation-specific updates in release 9.1.1: