Oracle® Identity Manager Connector Guide for Microsoft Active Directory User Management Release 9.1.1 Part Number E11197-07 |
|
|
View PDF |
This chapter provides an overview of the updates made to the software and documentation for release 9.1.1 of the Microsoft Active Directory User Management connector.
The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software. This section also points out the sections of this guide that have been changed in response to each software update.
Documentation-Specific Updates
This section describes major changes made to this guide. For example, the relocation of a section from the second chapter to the third chapter is a documentation-specific update. These changes are not related to software updates.
The following software updates have been made in this release of the connector:
The following are issues resolved in release 9.1.0:
Introduction of Scheduled Task for Reconciliation of Deleted User Records
Support for Provisioning Users to User-Defined Object Classes
Support for Deprovisioning of Users That Have Associated Leaf Nodes on the Target System
Support for the Application of Native LDAP Queries During Reconciliation
Support for High-Availability Configuration of the Target System
Support for Terminal Services Profile Fields of the Target System
Support for the E-Mail Redirection Feature in Microsoft Active Directory
The connector can be used to integrate both Microsoft Active Directory and Microsoft Active Directory Application Mode (ADAM) with Oracle Identity Manager.
Information specific to the Microsoft ADAM has been provided at various places in this guide.
You can now install the connector by using the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
See "Running the Connector Installer" for more information.
In the trusted source reconciliation mode, the connector can be configured to reconcile details of organizations on the target system. The AD Organization Recon scheduled task has been introduced to automate organization reconciliation.
See the following sections for more information:
In the target resource mode, the connector can be configured to fetch the names of organizations on the target system and populate a lookup definition in Oracle Identity Manager.
See "Scheduled Tasks for Lookup Field Synchronization" for more information.
The connector can be configured to reconcile deleted user data in both account management (target resource) and identity reconciliation (trusted source) modes. The AD User Target Delete Recon and AD User Trusted Delete Recon scheduled tasks have been introduced to automate this process.
See the following sections for more information:
In earlier releases, the same scheduled task was used for target resource and trusted source reconciliation. In this release, the following scheduled tasks have been introduced:
AD User Target Recon
This scheduled task is used to fetch user data in the target resource mode. See "Scheduled Tasks for Target Resource Reconciliation" for information about this scheduled task.
AD User Target Delete Recon
This scheduled task is used to fetch data about deleted users in the target resource mode. During a reconciliation run, for each deleted user account on the target system, the corresponding AD User resource is revoked for the OIM User. See "Scheduled Tasks for Target Resource Reconciliation" for information about this scheduled task.
AD User Trusted Recon
This scheduled task is used to fetch user data in the trusted source mode. See "Scheduled Tasks for Trusted Source Reconciliation" for information about this scheduled task and its attributes.
AD User Trusted Delete Recon
This scheduled task is used to fetch data about deleted users in the trusted source mode. During a reconciliation run, for each deleted target system account, the corresponding OIM User is deleted. See "Scheduled Tasks for Trusted Source Reconciliation" for information about this scheduled task and its attributes.
In addition to support for the traditional testing utility, this connector supports the Diagnostic Dashboard. You can use this tool to test basic functionality of the connector.
See "Using the Diagnostic Dashboard" for more information.
By default, the target system uses the user object class. You can use the Lookup.AD.Configuration lookup definition to include user-defined object classes on the target system in reconciliation and provisioning operations.
See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information.
A user on the target system can have other users defined as its leaf nodes. You can configure the connector to perform one of the following actions when the user is deleted on Oracle Identity Manager:
Delete the user and its leaf nodes from the target system.
Display a message stating that the user has leaf nodes.
This feature is implemented through the isUserDeleteLeafNode parameter of the IT resource for the target system. See "Configuring the IT Resource for the Target System" for information about this parameter.
In the earlier release, you specify the query condition for limited reconciliation by using operators that are not native to the target system. You can now specify the query condition using either non-native or native operators.
See "Limited Reconciliation vs. Regular Reconciliation" for more information.
The connector can be configured for compatibility with high-availability target system environments. It can read information about backup target system hosts from the Lookup.AD.BackupServers lookup definition and apply this information when it is unable to connect to the primary host.
See "Configuring High Availability of the Target System" for more information.
In the target resource mode, a Remote Manager can be used in conjunction with the connector to enable reconciliation from and provisioning to the Terminal Services fields of the target system. In addition, you can add Environment, Remote Control, and Sessions fields for reconciliation and provisioning.
See the following sections for more information:
You can add both single-valued and multivalued fields for target resource reconciliation and provisioning.
See the following sections for more information:
This connector supports the Multiple Trusted Source Reconciliation feature of Oracle Identity Manager release 9.1.0 and later. See "Configuring the Connector for Multiple Trusted Source Reconciliation" for more information.
You can use the E-mail Redirection feature to specify an alternative (redirection) e-mail address for a user. E-mail sent to the user is automatically directed to the account specified by the redirection e-mail address.See "Guidelines on Performing Provisioning Operations" for more information.
The following are software updates in release 9.1.0.1:
You can now enable the reconciliation of manager IDs from the target system during trusted source reconciliation. Manager ID values are stored in the Manager Login field of the OIM User form.
The following are issues resolved in release 9.1.0.1:
Bug Number | Issue | Resolution |
---|---|---|
7235815 | Reconciliation of a user record failed if the Full Name field contained commas. | This issue has been resolved. You can now reconcile records even if the Full Name field contains commas. |
7314549 and 7408391 | A provisioning operation failed if you entered the comma (,) or slash (/) characters in the Full Name field. | This issue has been resolved. You can now enter special characters in the Full Name field during provisioning operations. |
7324176 | If the MaintainHierarchy attribute was set to yes , then the value specified for the User Search Base attribute had to be an OU (of the form ou=abc,dc=... ). If the value of the User Search Base attribute was a domain controller name (of the form dc=xyz,dc=com ), then organization hierarchy was not maintained during reconciliation. |
This issue has been resolved. Organization hierarchy can be maintained during reconciliation even if the value of the User Search Base attribute is a domain controller name. For more information, see the description of the Search Filter attribute in "AD Organization Recon". |
7448615 | During target resource reconciliation, if no match was found between a particular target system record and any existing OIM Users, then the RowIndexOutBounds exception was thrown. | This issue has been resolved. If no match is found, then an error message is recorded in the log file and reconciliation continues. |
7450317 | On the target system, if you do not want to set an expiry date for a user's account, then you enter Never in the Expiry Date field. This action is the same as setting the expiry date to 1-Jan-1970 . Similarly, on Oracle Identity Manager, you leave the Expiry Date process form field empty if you do not want to set an expiry date for the user's target system account.
If the client computer and the target system host are set to different time zones, then the connector converts time stamp values sent from the client computer to GMT-relative time stamp values before storing them in the target system database. This conversion sometimes caused the |
This issue has been resolved. If you do not specify a value in the Expiry Date process form field, then the time zone part of the time stamp value is set to GMT (that is, GMT+00:00). Time zone conversion does not take place before the date value is stored in the target system database.
See Bug 7518734 in the "Known Issues" chapter for information about a limitation related to this fix. |
7328972 | During a provisioning operation, a user could not be made a member of a group whose name contained special characters. | This issue has been resolved. See Table 1-9 for information about special characters that are supported in the Group Name field. |
7320836 | During reconciliation of a large number of records, the reconciliation run would sometimes stop automatically and no error was thrown. In addition, no attempt was made to reestablish the connection to resume the reconciliation run. | This issue has been resolved. The number of records to be reconciled is determined at the start of a reconciliation run. Whenever the connection fails during the reconciliation run, an attempt is made to reestablish the connection and resume reconciliation. This process is repeated until the number of records reconciled is equal to the number of records identified for reconciliation at the start of the run. |
The following are software updates in release 9.1.1:
Microsoft Active Directory 2008 Added to the List of Certified Target Systems
Updates Related to Changes in the Architecture of the Password Synchronization Connector
Linking of Entries Stored in Lookup Definitions with Target System Installations
Addition of the Search Base, Search Filter, and Search Scope Attributes in All the Scheduled Tasks
From this release onward, Microsoft Active Directory 2008 installed on Microsoft Windows Server 2008 with SP2 and later service packs has been added to the list of certified target systems. This has been mentioned in the "Certified Deployment Configurations" section.
From this release onward, Oracle Identity Manager release 9.1.0.1 is the minimum supported Oracle Identity Manager release. This is mentioned in the "Certified Deployment Configurations" section.
The architecture of the password synchronization connector has been completely overhauled in release 9.1.1. The following changes have been made in the IT resource:
The ADPWSYNCH ADFlag ADPWSYNCH OIMFlag, and ADPWSYNCH Installed parameters have been removed.
To control propagation of passwords to the target system during provisioning operation, the Allow Password Provisioning parameter has been added.
See "Configuring the IT Resource for the Target System" for more information.
From this release onward, the connector supports group provisioning operations. The following changes have been made:
The AtMap ADGroup parameter has been added in the IT resource. This parameter holds the name of the lookup definition that stores group field mappings between Oracle Identity Manager and the target system. These field mappings are listed in the "Group Fields for Provisioning" section.
From this release onward, the connector supports reconciliation of group data. The AD Group Recon scheduled task is used to automate reconciliation of group data.
See the following sections for more information:
From this release onward, the IT resource name is added as a prefix to values stored in lookup definitions that are synchronized with the target system. During a provisioning operation, lookup fields are populated with values corresponding to the target system installation that you select for the operation.
See "Lookup Fields Used During Connector Operations" for more information.
The UPN Domain parameter has been added in the IT resource. You can use this parameter to specify the domain for users. In addition, the User Principal Name field has been added on the process form. This is a mandatory field. See "Configuring the IT Resource for the Target System" for more information.
The AD.Parameters lookup definition has been renamed to "Lookup.AD.Configuration." In addition, new entries that hold the names of the process form and the process form fields used for matching user records have been added in this lookup definition. If you create a copy of the process form, then you can specify details of the new process form in the copy of the Lookup.AD.Configuration lookup definition. This feature enables you to create multiple copies of the connector without making code-level changes.
See the following sections for more information:
You use the Query attribute of the user reconciliation scheduled tasks to specify the query condition that must be applied during reconciliation. In earlier releases, you used the isNativequery attribute to specify that the query condition was in native LDAP format. From this release onward, you can use only native LDAP queries. The Use Native Query attribute has been removed from the scheduled tasks.
See "Limited Reconciliation vs. Regular Reconciliation" for more information.
The Lookup.AD.Constants lookup definition stores the constants and variables defined in the Java classes that constitute the connector.
Caution:
You must not change any entry in the Lookup.AD.Constants lookup definition. If you change any entry, then the connector will not function correctly.The name of this lookup definition is specified as the value of the Constants Lookup Code Key in the Lookup.AD.Configuration lookup definition.
From this release onward, you can specify the subset of records that must be reconciled from the target system. The Search Base, Search Filter, and Search Scope attributes have been added in all scheduled tasks except the scheduled tasks for reconciliation of deleted users. See "Reconciliation Scheduled Tasks" for more information.
The following are issues resolved in release 9.1.1:
Bug Number | Issue | Resolution |
---|---|---|
Bugs 7489859 and 7455700 | The cn value of a user could not be changed through a provisioning operation on Oracle Identity Manager. | This issue has been resolved. The Common Name field has been introduced on the process form. This field is mapped to the cn field of the target system. Like the Full Name field, the Common Name field is populated with a value in the following format:
FIRST_NAME MIDDLE_NAME LAST_NAME For example:
You can modify this field through provisioning operations. This field has been added for both Microsoft Active Directory and ADAM. See the following sections for more information: |
5404679 | If a user was a member of more than 1000 groups, then the user could not be reconciled. | This issue can be resolved by changing the value of the MaxValRange parameter on the target system. |
7673487 | You could not create and use a new process form. You could only use the predefined process form. | This issue has been resolved. The Lookup.AD.Configuration lookup definition has been extended to include the following entries:
If you create a process form, then you must provide values for these entries. See "Configuring the Lookup.AD.Configuration Lookup Definition" for more information. |
7336488 | You could not specify the Oracle Identity Manager organization into which you wanted to reconcile group records.
Note: This issue was encountered in an earlier patch release of the connector in which group data reconciliation had been implemented. |
This issue has been resolved. The following attributes have been included in the AD Group Recon scheduled tasks:
See "AD Group Recon" for more information. |
7693562 and 8205269 | During provisioning operations, the Organization Name field is populated with values from the Lookup.ADReconciliation.Organization lookup definition. In the earlier release, instead of Decode values, Code Key values were displayed in the Organization Name field on the Administrative and User Console. | This issue has been resolved. Decode values of the lookup definition are displayed during provisioning operations. |
8269888 | You use the LdapUserDNPrefix entry in the Lookup.AD.Configuration lookup definition to specify the LDAP attribute for forming the relative DN or user account DN. This DN value forms the logon attribute for creating the user.
In the earlier release, this feature did not work if you changed the value from cn to any other attribute. |
This issue has been resolved. You can now change the value of the LdapUserDNPrefix parameter from cn to any other attribute. See "Configuring the Lookup.AD.Configuration Lookup Definition" for information about the LdapUserDNPrefix parameter. |
8222203 | Suppose you provisioned a Microsoft Active Directory resource to an OIM User and then changed the user ID of the account on the target system. During the next reconciliation run, no match was found with the resource on Oracle Identity Manager. | This issue has been resolved. The reconciliation rule for target resource reconciliation has been modified so that the objectGUID of the account on the target system is first compared with the objectGUID of the resource on Oracle Identity Manager. See "Reconciliation Rules for Target Resource Reconciliation" for more information. |
7668437 | The Disable User provisioning operation failed if the Full Name field contained the slash (/) character. | This issue has been resolved. The Disable User provisioning operation works even if the Full Name field contains the slash (/) character. |
7540967 | The following is the format of the time-stamp filter applied to each target system record during reconciliation:
When this filter was applied, a record that was added or modified at the instant the reconciliation run ended was also reconciled. However, the application of the time-stamp filter caused the same record to be reconciled during the next reconciliation run. |
This issue has been resolved.
The time-stamp filter cannot be changed to the following:
As a workaround, one second is added to the time stamp recorded in the IT resource before the filter is applied during a reconciliation run. In other words, the filter is changed to the following:
Application of this filter ensures that a record reconciled at the end of a reconciliation run is not reconciled during the next reconciliation run. |
7384799 | During a Create User provisioning operation, if you specified a group to which you wanted to assign the user, then the provisioning operation failed. | This issue has been resolved. You can now specify the group to which you want to assign a user during a provisioning operation. |
7320836 | Target resource reconciliation in batched mode stopped prematurely, even though no error was encountered. | This issue has been resolved. |
The following sections discuss documentation-specific updates:
Major changes have been made in the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usabiliy of information provided by the guide.
See "Roadmap for Deploying and Using the Connector" for detailed information about the organization of content in this guide.
The following are documentation-specific updates in release 9.1.1:
In the "Known Issues" chapter:
Bug 7518734 has been removed. The issue described by this bug was addressed when Bug 7450317 was resolved in release 9.1.0.1.
Descriptions for Bugs 7126712, 8346302, 7207232, and 6736667 have been added.
In the "Installing the Remote Manager" section, information about location for installing Remote Manager has been modified.
Microsoft Windows 2000 is no longer a supported host for the target system. All occurrences of "Microsoft Windows 2000" have been removed from this guide.
In the "Certified Deployment Configurations" section, changes have been made in the "Target systems and target system host platforms" row.
In the "User Provisioning Functions Supported by the Connector" section, the following functions have been added to the list of supported provisioning functions:
Create OU
Rename OU
Move OU
Delete OU