Windows Active Directory Connector
1.0.0.3663
This section provides instructions for configuring the following connector-based Active Directory resources for use with Identity Manager, including the following:
Connector Server Location
Connector Server Service Account
Unless the LDAP Hostname resource attribute is set, the connector will perform a serverless bind to the directory. For the serverless bind to work, the connector server must be installed on a system that is in a domain and that “knows” about the domain/directory to be managed. All Windows domains managed by a connector must be part of the same forest. Managing domains across forest boundaries is unsupported. If you have multiple forests, install at least one connector server in each forest.
The LDAP Hostname resource attribute tells the connector to bind to a particular DNS hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname does not necessarily have to specify a specific domain controller. The DNS name of an AD domain can be used. If the connector's DNS server is configured to return multiple IP addresses for that DNS name, then one of them will be used for the directory bind. This avoids having to rely on a single domain controller.
Some operations, including pass-through authentication and before and after actions, require that the connector server be a member of a domain.
By default, the connector server runs as the local System account. This is configurable through the Services MMC Snap-in.
If you run the connector server as an account other than Local System, then connector server service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.
Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the connector server service account. This means that the connector server service account must have the appropriate permissions to perform these operations. Currently, these operations are:
When performing before and after action scripts, the connector server may need the Replace a process level token right. This right is required if the connector server attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the connector server process needs the right to replace the default token associated with that subprocess.
If this right is missing, the following error may be returned during subprocess creation:
"Error creating process: A required privilege is not held by the client"
The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.
For the latest information on setting up a connector server, see https://identityconnectors.dev.java.net/connector server.html.
This section lists dependencies and limitations related to using the Active Directory connector, including:
Checking Password History
Configuring Active Sync
Specifying a Domain for Pass-Through Authentication
To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. You can enable this feature on an AD resource by clicking the User Provides Password On Change checkbox on the Resource Parameters page and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.
If the Search Child Domains resource parameter is NOT selected, the LDAP Hostname must be configured to specify the hostname of a specific Domain Controller, because Active Sync must always connect to the same Domain Controller. If the Search Child Domains option is selected, then the Sync Global Catalog Server must be set to a specific Global Catalog server.
See Chapter 52, Active Directory Synchronization Failover for information about limiting the number of repeated events that occur when you switch to a new domain controller.
In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the connector server searches all known domains and tries to authenticate the user in the domain that contains the user.
In a trusted multi-domain environment, there can be two possible situations:
All domains contain a synchronized user/password combination
The user/password combination is domain dependent.
When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Business Administrator's Guide for more information about setting up common resources.
In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.
Login failures will occur in domains if the user exists in the domain and the password is not synchronized.
It is not possible to use multiple data sources for the domain information in one Login Module Group.
This section provides information about supported connections and privilege environments.
This section describes Active Directory permission and reset password permission requirements.
The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.
Table 57–1 Active Directory Permissions
The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.
To support Active Directory (AD) pass-through authentication:
When configuring the connector server to run as a user, that user account must have the “Act As Operating System” and “Bypass Traverse Checking” user rights. By default, the connector server runs as the Local System account, which should already have these rights. Also, the “Bypass Traverse Checking” user right is enabled for all users by default.
If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the connector server.
Accounts being authenticated must have “Access This Computer From The Network” user rights on the connector server.
The connector server uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.
The following table summarizes the provisioning capabilities of this connector.
Table 57–2 Provisioning Capabilities| Feature | Supported? | 
|---|---|
| Enable/disable account | Yes | 
| Rename account | Yes | 
| Pass-through authentication | Yes | 
| Before/after actions | Yes The Active Directory resource supports before and after actions, which use batch scripts to perform activities on the connector server during a user create, update, or delete request. For more information, see Chapter 50, Adding Actions to Resources | 
| Data loading methods | Import directly from resource Reconcile with resource Active Sync | 
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports Boolean, string, and integer syntaxes. Binary strings and similar syntaxes are not supported.
This section provides information about supported and unsupported account syntaxes.
The following table lists the Active Directory syntax supported by Identity Manager:
Table 57–3 List of Supported Syntaxes| AD Syntax | Identity Manager Syntax | Syntax ID | OM ID | ADS Type | 
|---|---|---|---|---|
| Boolean | Boolean | 2.5.5.8 | 1 | ADSTYPE_BOOLEAN | 
| Enumeration | String | 2.5.5.9 | 10 | ADSTYPE_INTEGER | 
| Integer | Int | 2.5.5.9 | 2 | ADSTYPE_INTEGER | 
| DN String | String | 2.5.5.1 | 127 | ADSTYPE_DN_STRING | 
| Presentation Address | String | 2.5.5.13 | 127 | ADSTYPE_CASE_IGNORE_STRING | 
| IA5 String | String | 2.5.5.5 | 22 | ADSTYPE_PRINTABLE_STRING | 
| Printable String | String | 2.5.5.5 | 19 | ADSTYPE_PRINTABLE_STRING | 
| Numeric String | String | 2.5.5.6 | 18 | ADSTYPE_NUMERIC_STRING | 
| OID String | String | 2.5.5.2 | 6 | ADSTYPE_CASE_IGNORE_STRING | 
| Case Ignore String (teletex) | String | 2.5.5.4 | 20 | ADSTYPE_CASE_IGNORE_STRING | 
| Unicode String | String | 2.5.5.12 | 64 | ADSTYPE_OCTET_STRING | 
| Interval | String | 2.5.5.16 | 65 | ADSTYPE_LARGE_INTEGER | 
| LargeInteger | String | 2.5.5.16 | 65 | ADSTYPE_LARGE_INTEGER | 
The following table lists the Active Directory syntaxes that are not supported by Identity Manager:
Table 57–4 Unsupported Active Directory Syntaxes| Syntax | Syntax ID | OM ID | ADS Type | 
|---|---|---|---|
| DN with Unicode string | 2.5.5.14 | 127 | ADSTYPE_DN_WITH_STRING | 
| DN with binary | 2.5.5.7 | 127 | ADSTYPE_DN_WITH_BINARY | 
| OR-Name | 2.5.5.7 | 127 | ADSTYPE_DN_WITH_BINARY | 
| Replica Link | 2.5.5.10 | 127 | ADSTYPE_OCTET_STRING | 
| NT Security Descriptor | 2.5.5.15 | 66 | ADSTYPE_NT_SECURITY_DESCRIPTOR | 
| Octet String | 2.5.5.10 | 4 | ADSTYPE_OCTET_STRING | 
| SID String | 2.5.5.17 | 4 | ADSTYPE_OCTET_STRING | 
| UTC Time String | 2.5.5.11 | 23 | ADSTYPE_UTC_TIME | 
| Object(Access-Point) | 2.5.5.14 | 127 | n/a | 
Identity Manager supports the jpegPhoto and thumbnailPhoto account attributes, which use the Replica Link syntax. Other Replica Link attributes might be supported, but they have not been tested.
This section provides information about the Active Directory account attributes that are supported and those not supported by Identity Manager.
The following tables list the account attributes supported by Identity Manager: Other attributes might also be supported.
For description of these attributes, see Chapter 6, Active Directory.
Table 57–5 Attributes of ACCOUNT Object Class| Name | Attribute Type | Create? | Update? | Allows Multiple Values | 
|---|---|---|---|---|
| sAMAccountName | String | Yes | No | No | 
| givenName | String | Yes | Yes | No | 
| sn | String | Yes | Yes | No | 
| displayName | String | Yes | Yes | No | 
|  | String | Yes | Yes | No | 
| telephoneNumber | String | Yes | Yes | No | 
| employeeID | String | Yes | Yes | No | 
| division | String | Yes | Yes | No | 
| mobile | String | Yes | Yes | No | 
| middleName | String | Yes | Yes | No | 
| description | String | Yes | Yes | Yes | 
| department | String | Yes | Yes | Yes | 
| manager | String | Yes | Yes | Yes | 
| title | String | Yes | Yes | Yes | 
| initials | String | Yes | Yes | Yes | 
| co | String | Yes | Yes | Yes | 
| company | String | Yes | Yes | Yes | 
| facsimileTelephoneNumber | String | Yes | Yes | Yes | 
| homePhone | String | Yes | Yes | Yes | 
| streetAddress | String | Yes | Yes | Yes | 
| 1 | String | Yes | Yes | Yes | 
| st | String | Yes | Yes | Yes | 
| postalCode | String | Yes | Yes | Yes | 
| TerminalServicesInitialProgram | String | No | No | Yes | 
| TerminalServicesWorkDirectory | String | Yes | Yes | Yes | 
| AllowLogon | Integer | Yes | Yes | Yes | 
| MaxConnectionTime | Integer | Yes | Yes | Yes | 
| MaxDisconnectionTime | Integer | No | No | Yes | 
| MaxIdleTime | Integer | Yes | Yes | Yes | 
| ConnectClientDrivesAtLogon | Integer | No | No | Yes | 
| ConnectClientPrintersAtLogon | Integer | No | No | Yes | 
| DefaultToManPrinter | Integer | No | No | Yes | 
| BrokenConnectionAction | Integer | No | No | Yes | 
| ReconnectionAction | Integer | No | No | Yes | 
| EnableRemoteControl | Integer | No | No | Yes | 
| TerminalServicesProfilePath | String | No | No | Yes | 
| TerminalServicesHomeDirectory | String | No | No | Yes | 
| TerminalServicesHomeDrive | String | No | No | Yes | 
| uSNChanged | String | No | No | Yes | 
| ad_container | String | No | No | Yes | 
| otherHomePhone | String | Yes | Yes | Yes | 
| distinguishedName | String | No | No | Yes | 
| objectClass | String | No | No | Yes | 
| homeDirectory | String | Yes | Yes | Yes | 
| PasswordNeverExpires | Boolean | Yes | Yes | Yes | 
Table 57–6 Attributes of GROUP Object Class
| Name | Attribute Type | Create? | Update? | Allows Multiple Values | 
|---|---|---|---|---|
| cn | String | No | No | Yes | 
| samAccountName | String | Yes | Yes | Yes | 
| description | String | Yes | Yes | Yes | 
| displayName | String | No | No | Yes | 
| managedBy | String | Yes | Yes | Yes | 
|  | String | Yes | Yes | Yes | 
| groupType | Int | Yes | Yes | Yes | 
| objectClass | String | No | No | Yes | 
| member | String | No | No | Yes | 
| ad_container | String | No | No | Yes | 
Table 57–7 Attributes of organizationalUnit Object Class
| Name | Attribute Type | Create? | Update? | Allows Multiple Attributes | 
|---|---|---|---|---|
| ou | String | No | No | No | 
| displayName | String | No | No | No | 
Identity Manager supports the following Active Directory objects:
Table 57–8 Supported Active Directory Objects| Resource Object | Supported Features | Attributes Managed | 
|---|---|---|
| Group | Create, update, delete | cn, samAccountName, description, managedby, member, mail, groupType, authOrig, name | 
| DNS Domain | Find | dc | 
| Organizational Unit | Create, delete, find | ou | 
| Container | Create, delete, find | cn, description | 
The attributes that can be managed on resource objects are also generally dictated by the attribute syntaxes. The attributes for these object types are similar as those for user accounts and are supported accordingly.
Windows Active Directory is a hierarchically based resource. The identity template will provide the default location in the directory tree where the user will be created. The default identity template is
CN=$fullname$,CN=Users,DC=mydomain,DC=com
The default template must be replaced with a valid value.
This section lists the sample forms provided for the Active Directory resource adapter.
Active Directory ActiveSync Form
Windows Active Directory Create Container Form
Windows Active Directory Create Group Form
Windows Active Directory Create Organizational Unit Form
Windows Active Directory Create Person Form
Windows Active Directory Create User Form
Windows Active Directory Update Container Form
Windows Active Directory Update Group Form
Windows Active Directory Update Organizational Unit Form
Windows Active Directory Update Person Form
Windows Active Directory Update User Form
ADUserForm.xml
See Chapter 56, Identity Connectors Overview for information on logging and tracing information.