Adapter Details
The Windows NT resource adapter is defined in com.waveset.adapter.NTResourceAdapter class.
Resource Configuration Notes
This section describes Windows NT provisioning across multiple domains with two-way trusts. The following constraints apply when managing multiple domains from a single domain.
Note –
Terms referenced in this section are:
-
Gateway domain – Domain that the gateway machine is a member of.
-
Resource admin account – Administrative account defined in the Identity Manager resource.
-
Service account – Account that the gateway service is running as.
These trusts must be established:
-
The gateway domain needs to trust each domain in which a resource admin account is defined.
-
The gateway does a local login using the resource admin account, so its domain must trust the domain that the account lives in.
-
The gateway domain needs to trust each domain for which you will be doing pass-through authentication.
-
The gateway does a local login to authenticate user accounts, so its domain needs to trust the domain for those accounts.
-
The resource admin account must be a member of the Account Operators group in each domain that will be used to manage accounts. Each of these domains must trust the domain that contains the resource admin account.
-
You cannot add an account to a local group unless the account's domain is trusted by the local group's domain.
-
The domain of the service account must be trusted by the gateway domain.
When the gateway service is started, a local login of the service account is done. If any of the resource admin accounts are different than the service account or you will be doing pass-through authentication for any of the domains, then the service account needs the Act As Operating System and Bypass Traverse Checking user rights in the gateway domain. These rights are required for the service account to login as and impersonate another.
If you will be creating home directories, then the resource admin account needs to be able to create directories on the file system on which the directories will be created. If the home directory will be created on a network drive, the resource admin account must have write access to the file system in the Temp or TMP environmental variables of the gateway process; or, if not defined, the gateway process's working directory (this is either WINNT or WINNT\system32).
If you will be running before, after, or resource actions, the resource admin account needs read and write access to the file system in the TEMP or TMP environment variables of the gateway process; or, if not defined, the gateway processes' working directory (this is either WINNT or WINNT\system32).
The gateway writes the scripts and the script output to one of these directories (the directory is selected in the order in which they are mentioned).
Configure a separate resource adapter for each domain. The same gateway host can be used.
It should be possible to manage multiple domains using a single resource by overriding any domain-specific resource attributes (the domain and possibly the administrator and password) for each user.
Note –
-
Since a domain trusts itself, some of the trust relationships do not need to be made explicit when the two domains in questions are really the same domain.
-
You can use the same account for the resource admin account for all managed domains, as well as the service account, if you set up the appropriate trust relationships, group membership, and user rights.
Identity Manager Installation Notes
The Windows NT adapter does not require any additional installation procedures.
Usage Notes
The Scripted Gateway adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value in seconds. This attribute controls how long before a request to the gateway times out and is considered hung. You must manually add this attribute to the resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Sun Identity Manager Gatewayto communicate with this adapter.
Required Administrative Privileges
Administrators must have permission to create and maintain users and groups on the resource.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
|
Feature |
Supported? |
|---|---|
|
Enable/disable account |
Yes |
|
Rename account |
Yes |
|
Pass-through authentication |
Yes |
|
Before/after actions |
Yes |
|
Data loading methods |
|
The following administrative privileges are required to support Active Directory pass-through authentication for Windows 2003 running in Windows 2000 mode.
-
When configuring the Gateway to run as a user, that user must have the Act As Operating System User Right to perform pass-through authentication for the Windows NT and Windows 2000/Active Directory resources. The user must also have the Bypass Traverse Checking User Right, but this right is enabled for all users by default.
-
Accounts being authenticated must have the Access This Computer From The Network User Right on the Gateway system.
-
When Identity Manager is updating user rights, there may be a delay before the security policy is propagated. Once the policy has been propagated, you must restart the Gateway.
-
When performing account authentication, use the LogonUser function with the LOGON32_LOGON_NETWORK logon type and the LOGON32_PROVIDER_DEFAULT logon provider. (The LogonUser function is provided with the Microsoft Platform Software Development Kit.)
Account Attributes
The following table provided information about Windows NT account attributes.
|
Resource User Attribute |
Tab/NT Field |
Attribute Type |
|---|---|---|
|
AccountLocked |
General/Account is locked out |
Boolean |
|
description |
General/Description |
String |
|
fullname |
General/Full Name |
String |
|
groups |
Member Of/Member of |
String |
|
HomeDirDrive |
Profile Connect |
String |
|
HomeDirectory |
Profile/Local Path |
String |
|
LoginScript |
Profile/Login script |
String |
|
PasswordNeverExpires |
General/Password never expires |
Boolean |
|
Profile |
Profile/Profile path |
String |
|
userPassword |
Password |
Encrypted |
|
WS_PasswordExpired |
General/User must change password at next login |
Boolean |
|
PasswordAge |
Not displayed by default. Indicates the amount of time since the last password change. To implement, use the java.util.Date class to convert the value into a human-readable format. |
Int |
Resource Object Management
Identity Manager supports the following objects:
|
Resource Object |
Features Supported |
Attributes Managed |
|---|---|---|
|
Group |
create, update, delete |
description, member |
Identity Template
$accountId$
Sample Forms
Built-In
Windows NT Create Group Form
Windows NT Update Group Form
Also Available
NTForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.NTResourceAdapter
- © 2010, Oracle Corporation and/or its affiliates