Sun Identity Manager 8.1 Resources Reference

ADAM Support

The LDAP adapter can be configured to provision to Microsoft’s Active Directory Application Mode (ADAM). The following sections describe how to enable ADAM support.

Modifying the ADAM Schema

The ADAM schema may have to be adjusted for use with Identity Manager. The resource schema and the identity template in an LDAP resource often contains a reference to a unique identifier (or account ID). ADAM differs from other LDAP implementation in that

The ADAM schema defines the attribute index configuration. Each attribute definition entry in the schema has a searchFlags attribute. For example, the definition for Uid is located at cn=Uid,cn=Schema under the schema context. The searchFlags attribute is a bitmask and values 1 (create index), 2 (create index in each container) and 64 (index to support efficient VLV queries) are related to indexing.

Refer to the Microsoft documentation on updating the schema in an ADAM instance.

Enabling and Disabling Accounts in ADAM

Reconciliation in ADAM can use either the Paged Results Control or the Virtual List View Control. To use the former, check the “Use Paged Results Control” checkbox in the resource's resource parameters configuration page. To use the latter, the attribute named in the “VLV Sort Attribute” field on the resource's resource parameters configuration page must be indexed in ADAM with the option to support efficient VLV queries. See Modifying the ADAM Schema for details.

Active Sync is not supported with ADAM.

Use the following procedure to allow Identity Manager to enable and disable accounts in ADAM.

ProcedureEnabling and Disabling Accounts in ADAM

  1. On the LDAP Resource Parameters page, set the LDAP Activation Method parameter to com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable

  2. Set the LDAP Activation Parameter to Identity_System_Attribute=true (The Identity System attribute will be specified on the Account Attributes page in the next step.) For example, MyUserAccountDisabled=true

  3. On the Account Attributes page, add the Identity System attribute specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to msDS-UserAccountDisabled. The attribute must be of type string.