Sun Java System Communications Services
Identity Manager provides the Sun Java System Communications Services resource adapter to support Sun Java System Messaging Server (Messaging Server) and the Sun Java System Calendar Server (Calendar Server): These systems must be implementing LDAP Schema 2. In addition, Sun Java System Directory Server must be used as the user store.
The Sun Java System Communications Services resource adapter is defined in the com.waveset.adapter.SunCommunicationsServicesResourceAdapter class.
This adapter extends the LDAP resource adapter. See the documentation for the LDAP adapter for information about implementing LDAP-specific features.
The Communications Services adapter provides provisioning services for standard Directory Server installations.It can also read the replication changelog of Directory Server and apply those changes to Identity Manager users or custom workflows.
Resource Configuration Notes
To setup a Sun Java System Directory Server resource for use with the Communications Services adapter, you must configure the server to enable the change log and enable tracking of modifier information. This is done from the directory server configuration tab.
- Click on the Replication folder, then select the “Enable change log” box. For 5.0 and later servers, you must also enable the RetroChangelog Snapin. On the configuration tab go to the plugin object, select the Retro change log plugin and enable it.
- To verify that the server is configured to maintain special attributes for newly created or modified entries, in the Directory Server console, click Configuration > select the root entry in the navigation tree in the left pane.
- Click Settings > verify that the Track Entry Modification Times box is checked.
The server adds the following attributes to a newly created or modified entry to determine if an event was initiated from Identity Manager.
- creatorsName: The DN of the person who initially created the entry.
- modifiersName: The DN of the person who last modified the entry.
Identity Manager Installation Notes
No additional installation procedures are required on this resource.
Usage Notes
Service Accounts
Create an Identity Manager service account to connect to Communications Services, rather than using the administrator account CN=Directory Manager. Use your Directory Server management tool to set permissions via an ACI (access control instructions) at each base context.
Set the permissions in the ACI based on the source. If the adapter is connecting to an authoritative source, then set read, search, and possibly compare permissions only. If the adapter is used to write back, then you will need to set write and possibly delete permissions.
|
Note
|
If the account will be used for the monitoring the changelog, an ACI should also be created on cn=changelog. The permissions should be set to read and search only, because you cannot write or delete changelog entries.
|
|
The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of an Active Sync resource adapter. ResourceName must be replaced with the name of the Resource object.
Before and After Actions
The Sun Communications Services resource adapter does not perform before or after actions. Instead, you may use the Action Proxy Resource Adapter field in the Resource Wizard to designate a proxy resource adapter that has been configured to run actions.
The following example script could be run on the proxy resource after creating a user:
SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -c -P user/%WSUSER_accountId%.*
The following example script will delete the user's mailboxes when the user is deleted.
SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -d -P user/%WSUSER_accountId%.*
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses Java Naming and Directory Interface (JNDI) over TCP/IP or SSL to communicate with the Communications Services adapter.
- If you are using TCP/IP, specify port 389 on the Resource Attributes page.
- If you are using SSL, specify port 636.
Required Administrative Privileges
If the value cn=Directory Manager is specified in the User DN resource parameter, then the Identity Manager administrator has the necessary permissions to manage accounts. If a different distinguished name is specified, that user must have the ability to read, write, delete, and add users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
|
Supported?
|
Enable/disable account
|
Yes
|
Rename account
|
Yes
|
Pass-through authentication
|
Yes
|
Before/after actions
|
No, but a proxy resource adapter may be specified.
|
Data loading methods
|
|
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports boolean, string, integer, and binary syntaxes. A binary attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be supported, as long as it is boolean, string, or integer in nature. Octet strings are NOT supported.
LDAP Syntax
|
Attribute Type
|
Object ID
|
Audio
|
Binary
|
1.3.6.1.4.1.1466.115.121.1.4
|
Binary
|
Binary
|
1.3.6.1.4.1.1466.115.121.1.5
|
Boolean
|
Boolean
|
1.3.6.1.4.1.1466.115.121.1.7
|
Country String
|
String
|
1.3.6.1.4.1.1466.115.121.1.11
|
DN
|
String
|
1.3.6.1.4.1.1466.115.121.1.12
|
Directory String
|
String
|
1.3.6.1.4.1.1466.115.121.1.15
|
Generalized Time
|
String
|
1.3.6.1.4.1.1466.115.121.1.24
|
IA5 String
|
String
|
1.3.6.1.4.1.1466.115.121.1.26
|
Integer
|
Int
|
1.3.6.1.4.1.1466.115.121.1.27
|
Postal Address
|
String
|
1.3.6.1.4.1.1466.115.121.1.41
|
Printable String
|
String
|
1.3.6.1.4.1.1466.115.121.1.44
|
Telephone Number
|
String
|
1.3.6.1.4.1.1466.115.121.1.50
|
Default Account Attributes
The following attributes are displayed on the Account Attributes page for the Communications Services resource adapters. All attributes are of type String unless otherwise noted.
Identity System User Attribute
|
Resource User Attribute
|
Description
|
accountId
|
uid
|
User ID
|
accountId
|
cn
|
Required. The user’s full name.
|
password
|
userPassword
|
Encrypted
|
firstname
|
givenname
|
The user’s first (given) name.
|
lastname
|
sn
|
Required. The user’s last name (surname).
|
email
|
mail
|
The user’s fully-qualified email address.
|
modifyTimeStamp
|
modifyTimeStamp
|
Indicates when a user entry was modified.
By default, this attribute is displayed for the Sun Communications Services adapter only.
|
objectClass
|
objectClass
|
The object class to monitor for changes.
|
alternateEmail
|
mailalternateaddress
|
Alternate email address of this recipient.
|
mailDeliveryOption
|
maildeliveryoption
|
Specifies delivery options for the mail recipient. One or more values are permitted on a user or group entry, supporting multiple delivery paths for inbound messages. Values will apply differently depending on whether the attribute is used in inetMailGroup or inetMailUser.
|
mailHost
|
mailhost
|
The fully qualified host name of the mail transfer agent (MTA) that is the final destination of messages sent to this recipient.
|
mailForwardingAddress
|
mailforwardingaddress
|
Specifies one or more forwarding addresses for inbound messages.
|
inetUserStatus
|
inetuserstatus
|
the status of a user’s account with regard to global server access. The possible values are active, inactive, or deleted.
|
mailQuota
|
mailquota
|
The amount of disk space, in bytes, allowed for the user’s mailbox.
|
mailAutoReplySubject
|
mailautoreplysubject
|
Text to be used as the subject of an auto-reply response.
|
mailAutoReplyText
|
mailautoreplytext
|
Auto-reply text sent to all senders except users in the recipient’s domain.
|
mailAutoReplyTextInternal
|
mailautoreplytextinternal
|
Auto-reply text sent to senders from the recipients domain.
|
vacationStartDate
|
vacationstartdate
|
Vacation start date and time, in the format YYYYMMDDHHMMSSZ.
|
vacationEndDate
|
vacationenddate
|
Vacation end date and time, in the format YYYYMMDDHHMMSSZ.
|
mailAutoReplyMode
|
mailautoreplymode
|
The autoreply mode for user mail account. The possible values are echo and reply.
|
Default Supported Object Classes
By default, the Sun Java System Communications Services resource adapter uses the following object classes when creating new user objects in the LDAP tree. Other object classes may be added.
top Object Class
The top object class must contain the objectClass attribute, which is present as an account attribute by default. The top object class is extended by a number of object classes, including the person object class.
person Object Class
The following table lists additional supported attributes that are defined in the LDAP person object class.
Resource User Attribute
|
LDAP Syntax
|
Attribute Type
|
Description
|
description
|
Directory string
|
String
|
A short informal explanation of special interests of a person
|
seeAlso
|
DN
|
String
|
A reference to another person.
|
telephoneNumber
|
Telephone number
|
String
|
Primary telephone number
|
inetUser Object Class
The inetUser object class represents a user account, or a resource (defined as any object to which services are provided) account, and is used in conjunction with inetMailUser and ipUser for creating a mail account. When creating user accounts, this object class extends the base entry created by inetOrgPerson.
The following table lists additional supported attributes that are defined in the inetUser object class.
Resource User Attribute
|
LDAP Syntax
|
Attribute Type
|
Description
|
inetUserStatus
|
Directory string
|
String
|
Specifies the status of a user’s account with regard to global server access.The possible values are active, inactive, and deleted.
|
organizationalPerson Object Class
The following table lists additional supported attributes that are defined in the LDAP Organizationalperson object class. This object class can also inherit attributes from the Person object class.
Resource User Attribute
|
LDAP Syntax
|
Attribute Type
|
Description
|
destinationIndicator
|
Printable string
|
String
|
This attribute is used for the telegram service.
|
facsimileTelephoneNumber
|
Facsimile telephone number
|
String
|
The primary fax number.
|
internationaliSDNNumber
|
Numeric string
|
String
|
Specifies an International ISDN number associated with an object.
|
l
|
Directory string
|
String
|
The name of a locality, such as a city, county or other geographic region
|
ou
|
Directory string
|
String
|
The name of an organizational unit
|
physicalDeliveryOfficeName
|
Directory string
|
String
|
The office where deliveries are routed to.
|
postalAddress
|
Postal address
|
String
|
The office location in the user's place of business.
|
postalCode
|
Directory string
|
String
|
The postal or zip code for mail delivery.
|
postOfficeBox
|
Directory string
|
String
|
The P.O. Box number for this object.
|
preferredDeliveryMethod
|
Delivery method
|
String
|
The preferred way to deliver to addressee
|
registeredAddress
|
Postal Address
|
String
|
A postal address suitable for reception of telegrams or expedited documents, where it is necessary to have the recipient accept delivery.
|
st
|
Directory string
|
String
|
State or province name.
|
street
|
Directory string
|
String
|
The street portion of the postal address.
|
teletexTerminalIdentifier
|
Teletex Terminal Identifier
|
String
|
The teletex terminal identifier for a teletex terminal associated with an object
|
telexNumber
|
Telex Number
|
String
|
The telex number in the international notation
|
title
|
Directory string
|
String
|
Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
|
x121Address
|
Numeric string
|
String
|
The X.121 address for an object.
|
inetOrgPerson Object Class
The following table lists additional supported attributes that are defined in the LDAP inetOrgPerson object class. This object class can also inherit attributes from the organizationalPerson object class.
Resource User Attribute
|
LDAP Syntax
|
Attribute Type
|
Description
|
audio
|
Audio
|
Binary
|
An audio file.
|
businessCategory
|
Directory string
|
String
|
The kind of business performed by an organization.
|
carLicense
|
Directory string
|
String
|
Vehicle license or registration plate
|
departmentNumber
|
Directory string
|
String
|
Identifies a department within an organization
|
displayName
|
Directory string
|
String
|
Preferred name of a person to be used when displaying entries
|
employeeNumber
|
Directory string
|
String
|
Numerically identifies an employee within an organization
|
employeeType
|
Directory string
|
String
|
Type of employment, such as Employee or Contractor
|
homePhone
|
Telephone number
|
String
|
The user’s home telephone number.
|
homePostalAddress
|
Postal address
|
String
|
The user’s home address.
|
initials
|
Directory string
|
String
|
Initials for parts of the user's full name
|
jpegPhoto
|
JPEG
|
Binary
|
An image in JPEG format.
|
labeledURI
|
Directory string
|
String
|
A Universal Resource Indicator (URI) and optional label associated with the user.
|
mail
|
IA5 string
|
String
|
One or more email addresses.
|
manager
|
DN
|
String
|
Directory name of the user's manager.
|
mobile
|
Telephone number
|
String
|
The user’s cell phone number.
|
o
|
Directory string
|
String
|
The name of an organization.
|
pager
|
Telephone number
|
String
|
The user’s pager number.
|
preferredLanguage
|
Directory string
|
String
|
Preferred written or spoken language for a person.
|
roomNumber
|
Directory string
|
String
|
The user’s office or room number.
|
secretary
|
DN
|
String
|
Directory name of the user’s administrative assistant.
|
userCertificate
|
certificate
|
Binary
|
A certificate, in binary format.
|
ipUser
The ipUser object class holds the reference to the personal address book container and the class of service specifier.
The following table lists additional supported attributes that are defined in the ipUser object class.
Resource User Attribute
|
Syntax
|
Attribute Type
|
Description
|
inetCoS
|
String, multi-valued
|
String
|
Specifies the name of the Class of Service (CoS) template supplying values for attributes in the user entry.
|
memberOfPAB
|
String, multi-valued
|
String
|
The unique name of the personal address book(s) in which this entry belongs.
|
maxPabEntries
|
Integer, single-valued
|
Integer
|
The maximum number of personal address book entries users are permitted to have in their personal address book store.
|
pabURI
|
String, single valued
|
String
|
LDAP URI specifying the container of the personal address book entries for this user.
|
userPresenceProfile
The userPresenceProfile object class stores the presence information for a user.
This object class may contain the vacationStartDate and vacationEndDate attribute, which are present as account attributes by default.
iplanet-am-managed-person
The iplanet-am-managed-person object class contains attributes that Sun Java System Access Manager needs to manage users.
The following table lists additional supported attributes that are defined in the ipUser object class.
Resource User Attribute
|
Syntax
|
Attribute Type
|
Description
|
iplanet-am-modifiable-by
|
DN, multi-valued
|
String
|
The role-dn of the administrator who has access rights to modify the user entry.
|
iplanet-am-role-aci-description
|
String, multi-valued
|
String
|
Description of the ACI that belongs to the role.
|
iplanet-am-static-group-dn
|
DN, multi-valued
|
String
|
Defines the DNs for the static groups the user belongs to.
|
iplanet-am-user-account-life
|
Date string, single-valued
|
String
|
Specifies the account expiration date in the following format: yyyy/mm/dd hh:mm:ss
|
inetMailUser
The inetMailUser extends the base entry created by inetOrgPerson to define a messaging service user. It represents a mail account and is used in conjunction with inetUser and inetLocalMailRecipient.
The following table lists additional supported attributes that are defined in the inetMailUser object class.
Resource User Attribute
|
Syntax
|
Attribute Type
|
Description
|
dataSource
|
String, single-valued
|
String
|
Text field to store a tag or identifier.
|
mailAllowedServiceAccess
|
String, single-valued
|
String
|
Stores access filters (rules).
|
mailAntiUBEService
|
String, multi-valued
|
String
|
Instructions for a program that handles unsolicited bulk email.
|
mailAutoReplyTimeOut
|
Integer, single-valued
|
Integer
|
Duration, in hours, for successive auto-reply responses to any given mail sender.
|
mailConversionTag
|
String, multi-valued
|
String
|
Method of specifying unique conversion behavior for a user or group entry.
|
mailDeferProcessing
|
String, single-valued
|
String
|
Controls whether or not address expansion of the current user or group entry is performed immediately, or deferred.
|
mailEquivalentAddress
|
String, multi-valued
|
String
|
Equivalent to mailAlternateAddress in regard to mail routing, except with this attribute, the header doesn’t get rewritten.
|
mailMessageStore
|
String, single-valued
|
String
|
Specifies the message store partition name for the user.
|
mailMsgMaxBlocks
|
Integer, single-valued
|
Integer
|
The size in units of MTA blocks of the largest message that can be sent to this user or group.
|
mailMsgQuota
|
Integer, single-valued
|
Integer
|
Maximum number of messages permitted for a user
|
mailProgramDeliveryInfo
|
String, multi-valued
|
String
|
Specifies one or more programs used for program delivery.
|
mailSieveRuleSource
|
String, multi-valued
|
String
|
Contains a SIEVE rule (RFC 3028 compliant) used to create a message filter script for a user entry.
|
mailSMTPSubmitChannel
|
String, single-valued
|
String
|
This attribute is a factor involved in setting up guaranteed message delivery, or in setting up other special classes of service.
|
mailUserStatus
|
String, single-valued
|
String
|
Current status of the mail user. Can be one of the following values: active, inactive, deleted, hold, overquota, or removed.
|
nswmExtendedUserPrefs
|
String, multi-valued
|
String
|
Holds the pairs that define Messenger Express preferences, such as sort order and Mail From address.
|
inetLocalMailRecipient
The inetLocalMailRecipient object class stores information that provides a way to designate an LDAP entry as one that represents a local email recipient, to specify the recipient’s email addresses, and to provide routing information pertinent to the recipient.
The following table lists additional supported attributes that are defined in the inetLocalMailReceipient object class. (All other attributes in this object class are present as account attributes by default.)
Resource User Attribute
|
LDAP Syntax
|
Attribute Type
|
Description
|
mailRoutingAddress
|
String, single-valued
|
String
|
Used together with mailHost to determine whether or not the address should be acted upon at this time or forwarded to another system.
|
icsCalendarUser
The icsCalendarUser object class defines a Calendar Server user.
The following table lists additional supported attributes that are defined in the icsCalendarUser object class. (All other attributes in this object class are present as account attributes by default.)
Resource User Attribute
|
LDAP Syntax
|
Attribute Type
|
Description
|
icsAllowedServiceAccess
|
String, single-valued
|
String
|
Disallows calendar services to a user.
|
icsCalendar
|
String, single-valued
|
String
|
The calendar ID (calid) of the default calendar for a user or resource. Required attribute for Calendar Manager.
|
icsCalendarOwned
|
String, multi-valued
|
String
|
Calendars owned by this user.
|
icsDWPHost
|
String, single-valued
|
String
|
Stores a Database Wire Protocol (DWP) host name so that the calendar ID can be resolved to the DWP server that stores the calendar and its data.
|
icsExtendedUserPrefs
|
String, multi-valued
|
String
|
Extensions for calendar user preferences.
|
icsFirstDay
|
String, single-valued
|
Integer
|
First day of the week to be displayed on user’s calendar.
|
icsSet
|
String, multi-valued
|
String
|
Defines one group of calendars. The value for this attribute is a six-part string, with each part separated by a dollar sign ($).
|
icsStatus
|
String, single-valued
|
String
|
This attribute must be set when assigning calendar services to a domain. The possible values are active, inactive, and deleted.
|
icsSubscribed
|
String, multi-valued
|
String
|
List of calendars to which this user is subscribed.
|
icsTimezone
|
String
|
String
|
The default time zone for this user or resource calendar if one is not explicitly assigned through their own user preferences.
|
preferredLanguage
|
String, single-valued
|
String
|
Preferred written or spoken language for a person.
|
Resource Object Management
Identity Manager supports the following LDAP objects by default. Any string-, integer-, or boolean-based attributes can also be managed.
Resource Object
|
Object Classes
|
Features Supported
|
Attributes Managed
|
Group
|
groupOfUniqueNames
iplanet-am-managed-group
iplanet-am-managed-filtered-group
iplanet-am-managed-assignable-group
iplanet-am-managed-static-group
inetMailGroup
inetLocalRecipient
|
Create, update, delete, rename, saveas, find
|
cn, description, owner, uniqueMember
|
Domain
|
domain
organization
inetdomainauthinfo
sunManagedOrganization'
sunNameSpace
mailDomain'
icsCalendarDomain
|
find
|
dc
|
Organizational Unit
|
organizationalUnit
iplanet-am-managed-people-container
|
Create, rename, saveas, find
|
ou
|
Organization
|
organizatiion
|
Create, rename, saveas, find
|
o
|
Identity Template
None. You must supply the identity template with a valid value.
Sample Forms
- Sun Java System Communications Services ActiveSync Form
- Sun Java System Communications Services Create Group Form
- Sun Java System Communications Services Create Organizational Unit Form
- Sun Java System Communications Services Create Organization Form
- Sun Java System Communications Services Update Group Form
- Sun Java System Communications Services Update Organizational Unit Form
Troubleshooting
Use the Identity Manager debug pages to set trace options on one or more of the following classes:
- com.waveset.adapter.SunCommunicationsServicesResource
Adapter
- com.waveset.adapter.LDAPResourceAdapter
- com.waveset.adapter.LDAPResourceAdapterBase