The LDAP adapter can be configured to provision to Microsoft’s Active Directory Application Mode (ADAM). The following sections describe how to enable ADAM support.
The ADAM schema may have to be adjusted for use with Identity Manager. The resource schema and the identity template in an LDAP resource often contains a reference to a unique identifier (or account ID). ADAM differs from other LDAP implementation in that
In ADAM, objectclass definitions only allow a single naming attribute. (A naming attribute is an attribute that appears in the leftmost RDN component of the DN.)
The uid attribute is defined as multi-valued.
The cn attribute is defined as single-valued and cannot be longer than 64 characters.
The ADAM schema defines the attribute index configuration. Each attribute definition entry in the schema has a searchFlags attribute. For example, the definition for Uid is located at cn=Uid,cn=Schema under the schema context. The searchFlags attribute is a bitmask and values 1 (create index), 2 (create index in each container) and 64 (index to support efficient VLV queries) are related to indexing.
Refer to the Microsoft documentation on updating the schema in an ADAM instance.
Reconciliation in ADAM can use either the Paged Results Control or the Virtual List View Control. To use the former, check the “Use Paged Results Control” checkbox in the resource's resource parameters configuration page. To use the latter, the attribute named in the “VLV Sort Attribute” field on the resource's resource parameters configuration page must be indexed in ADAM with the option to support efficient VLV queries. See Modifying the ADAM Schema for details.
Active Sync is not supported with ADAM.
Use the following procedure to allow Identity Manager to enable and disable accounts in ADAM.
On the LDAP Resource Parameters page, set the LDAP Activation Method parameter to com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable
Set the LDAP Activation Parameter to Identity_System_Attribute=true (The Identity System attribute will be specified on the Account Attributes page in the next step.) For example, MyUserAccountDisabled=true
On the Account Attributes page, add the Identity System attribute specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to msDS-UserAccountDisabled. The attribute must be of type string.