Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 |
Active DirectoryThe following resource adapters support Windows Active Directory 2000 SP3 and later and Windows Active Directory 2003:
GUI Name
Class Name
Windows 2000 / Active Directory
com.waveset.adapter.ADSIResourceAdapter
Windows 2000 / Active Directory Active Sync
com.waveset.adapter.ActiveDirectoryActiveSyncAdapter
The Windows 2000 / Active Directory resource adapter is defined in the com.waveset.adapter.ADSIResourceAdapter class.
This adapter supports the following versions:
- Windows Active Directory 2000 SP3
- Windows Active Directory 2003
Note The Windows 2000 / Active Directory Active Sync adapter (com.waveset.adapter.ActiveDirectoryActiveSyncAdapter has been deprecated as of Identity Manager 5.0 SP1. All features in this adapter are now in the Windows 2000/ Active Directory adapter. Although existing instances of the Active Sync adapter will still function, new instances of these can no longer be created.
Resource Configuration Notes
This section provides instructions for configuring the following Active Directory resources for use with Identity Manager, including the following:
Sun Identity Manager Gateway Location
The Gateway system should be running Windows 2000 or later. Although it might be possible to manage Active Directory (AD) from a Gateway system running Windows NT with the Active Directory Client Extension installed, this is not recommended.
Unless the LDAP Hostname resource attribute is set, the Gateway will perform a serverless bind to the directory. In order for the serverless bind to work, the Gateway needs to be installed on a system that is in a domain and that “knows” about the domain/directory to be managed. Generally, if the Gateway is in a domain that is in the same forest as the domain to be managed, or there is a trust relationship between the domains, then the serverless bind will succeed.
The LDAP Hostname resource attribute tells the Gateway to bind to a particular DNS hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname does not necessarily have to specify a specific domain controller. The DNS name of an AD domain can be used. If the Gateway system's DNS server is configured to return multiple IP addresses for that DNS name, then one of them will be used for the directory bind. This avoids having to rely on a single domain controller.
Sun Identity Manager Gateway Service Account
By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.
If you run the Gateway as an account other than Local System, then Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.
Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the Gateway service account. This means that the Gateway service account must have the appropriate permissions to perform these operations. Currently, these operations are:
The Authentication Timeout resource attribute (provided for pass-through authentication only) prevents the adapter from hanging if a problem occurs on the Gateway side.
Out of Office Messages
The outOfOfficeEnabled and outofOfficeMessage account attributes can be used to enable the out of office autoreply function and set the out-of-office message, respectively. These can be used for Exchange 200x accounts. These attributes are only set on account updates and not account creates.
The adapter requires that the Messaging Application Programming Interface (MAPI) be installed on the gateway machine. There are at least two ways to install the MAPI subsystem. The simplest way is to install the Microsoft Outlook client on the gateway machine. No other configuration is necessary.
Another way is to install the Exchange System Management Tools, which are located on the Exchange Server CD. The management tools are installed as a component of the normal Exchange Server install. However, this installs the MAPI subsystem files, but it does not complete the configuration.
The mapisvc.inf file (typically located in c:\winnt\system32) contains the available MAPI services, and it must be updated to include the Exchange message service entries. The msems.inf file, which is contained in the gateway zip file, contains the entries that need to be merged into the mapisvc.inf file to configure the Exchange message server. The msems.inf file can be merged into the mapisvc.inf file manually using a text file editor such as notepad. Alternatively, a tool named MergeIni.exe is available on the Microsoft Platform SDK and can be found in the Windows Core SDK in the Microsoft SDK\Bin directory.
Use the following command to run MergeIni:
MergeIni msems.inf -m
Identity Manager Installation Notes
No additional installation procedures are required on this resource.
Usage Notes
This section lists dependencies and limitations related to using the Active Directory resource adapter, including:
Checking Password History
To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. This functionality is enabled on an AD resource by setting the User Provides Password On Change resource attribute to 1 and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.
The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of a resource adapter using Active Sync. ResourceName must be replaced with the name of the Resource object.
Supporting Microsoft Exchange Servers
To support Microsoft Exchange Server 2000 and later, the following account attributes must be enabled:
The following account attributes are displayed in the schema map by default and are also used for managing Exchange accounts:
If your Active Directory resource is not being used to manage Exchange Server attributes, then you must remove these attributes from the schema map for these adapters to successfully provision Active Directory accounts with Identity Manager.
The Active Directory adapter can be modified to support printer, computer, or other Active Directory objects. The following example illustrates how to modify the XML code in the appropriate Java class to support printer objects.
<ObjectType name='Printer' icon='group'>
<ObjectClasses operator='AND'>
<ObjectClass name='printQueue'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='update'/>
<ObjectFeature name='delete'/>
</ObjectFeatures>
<ObjectAttributes idAttr='distinguishedName' displayNameAttr='cn' descriptionAttr='description'>
<ObjectAttribute name='cn' type='string'/>
<ObjectAttribute name='description' type='string'/>
<ObjectAttribute name='managedby' type='string'/>
<ObjectAttribute name='distinguishedName' type='string'/>
</ObjectAttributes>
</ObjectType>
In addition, you must create at least one new form to support printer objects.
The Windows Active Directory resource can manage Exchange 2000 contacts by changing the object class to contact and removing the password, accountId, and expirePassword resource attributes.
Configuring Active Sync
Before Identity Manager 5.5, if the Process deletes as updates check box was selected, Identity Manager would disable a deleted Identity Manager user as well as all resource accounts and mark the user for later deletion. By default, this check box was selected. In Identity Manager 5.5 and beyond, this functionality is configured by setting the Delete Rule set to None.
If the checkbox was previously deselected, then the Delete Rule will be set to ActiveSync has isDeleted set.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The recommended approach for connecting to an Active Directory resource is with the Gateway service. The Gateway service uses ADSI and a TCP/IP socket connection (3 DES) for exchanging password information on the network.
You can also use LDAP over SSL or TCP/IP to connect to the Active Directory server. In this scenario, use the LDAP resource adapter.
Required Administrative Privileges
This section describes Active Directory permission and reset password permission requirements.
Active Directory Permissions
The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.
Reset Password
The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.
Pass-Thru Authentication
To support Active Directory (AD) pass-thru authentication:
- When configuring the Gateway to run as a user, that user account must have the “Act As Operating System” and “Bypass Traverse Checking” user rights. By default, the Gateway runs as the Local System account, which should already have these rights. Also, the “Bypass Traverse Checking” user right is enabled for all users by default.
Note If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the Gateway.
- Accounts being authenticated must have “Access This Computer From The Network” user rights on the Gateway system.
The Gateway uses the LogonUser function with the LOGON32_LOGON_NETWORK
log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform
pass-thru authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.Accessing Deleted Objects
The administrative account must have access to the Deleted Objects container in the active directory. By default, only Administrators and the System account have access to this container. Other users can be granted access to this container. For information on granting access to the Deleted Objects container, see Microsoft Knowledge Base article 892806.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
Yes
Note: The Authentication Timeout resource attribute (provided for pass-through authentication only) prevents the Active Directory adapter from hanging if a problem occurs on the Gateway side.
Before/after actions
Yes.
The Active Directory resource supports before and after actions, which use batch scripts to perform activities on the Active Directory gateway system during a user create, update, or delete request. See Chapter 3, "Adding Actions to Resources," for more information.
Data loading methods
Import directly from resource
Reconcile with resource
Active Sync
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports boolean, string, and integer syntaxes. Binary strings and similar syntaxes are not supported.
Attribute Syntax Support
This section provides information about supported and unsupported account syntaxes.
Supported Syntaxes
The following table lists the Active Directory syntax supported by Identity Manager:
Unsupported Syntaxes
The following table lists the Active Directory syntaxes that are not supported by Identity Manager:
Account Attribute Support
This section provides information about the Active Directory account attributes that are supported and those not supported by Identity Manager.
Supported Account Attributes
The following table lists the account attributes supported by Identity Manager:
Schema Name
AD Syntax
Attribute Type
Description
accountExpires
Interval
String
The date when the user's account expires.
AccountLocked
N/A
Boolean
Whether or not an account is locked out. Cannot be set to true; only the Windows system can set to true.
accountNameHistory
Directory string
String
The length of time that the account has been active. Read-only
aCSPolicyName
Directory string
String
String name of an ACS policy that applies to this user.
adminCount
Integer
String
Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).Set by system.
Read-only.adminDescription
Directory string
String
The description displayed on admin screens.
adminDisplayName
Directory string
String
The name to be displayed on admin screens.
altSecurityIdentities
Directory string
String
Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
assistant
DN string
String
The distinguished name of a user's administrative assistant.
badPasswordTime
Interval
String
The last time the user tried to log onto the account using an incorrect password.
badPwdCnt
Integer
String
Read-only. Number of login attempts with incorrect password. The value may only be for those logins that failed at the domain controller that is being queried.
businessCategory
Directory string
String
Describes the kind of business performed by an organization.
c
Directory string
String
The two-character country code in the address of the user.
cn
Directory string
String
Common Name. This attribute is set from the CN value in the DN. Read-only.
co
Directory string
String
Text-Country (country name)
company
Directory string
String
The user's company name.
codePage
Integer
Int
Specifies the code page for the user's language of choice.
countryCode
Integer
String
Specifies the country code for the user's language of choice.
defaultClassStore
DN string
String
The default Class Store for a given user.
department
Directory string
String
Contains the name for the department in which the user works.
description
Directory string
String
Contains the description to display for an object. This value is treated as single-valued by the system.
desktopProfile
Directory string
String
The location of the desktop profile for a user or group of users.
destinationIndicator
Printable string
String
Not used by Active Directory.
displayName
Directory string
String
The name displayed in the address book for a particular user. This is usually the combination of the user’s first name, middle initial, and last name.
displayNamePrintable
Printable string
String
Printable version of the displayName.
distinguishedName
DN string
String
Cannot be set directly. Read only. Set the DN on create using the DN template or the accountId account attribute.
division
Directory string
String
The user's division.
dynamicLDAPServer
DN string
String
DNS name of server handing dynamic properties for this account.
employeeID
Directory string
String
The ID of an employee.
extensionName
Directory string
String
The name of a property page used to extend the UI of a directory object.
facsimileTelephoneNumber
Directory string
String
Contains telephone number of the user's business fax machine.
flags
Integer
Int
To be used by the object to store bit information.
garbageCollPeriod
Integer
Int
This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the period in hours between DS garbage collection runs.
generationQualifier
Directory string
String
Indicates a person’s generation. For example, Jr. or II.
givenName
Directory string
String
Contains the given name (first name) of the user.
groupPriority
Directory string
String
Not used
groups
Directory string
String
Windows security and distribution groups
groupsToIgnore
Directory string
String
Not used
homeDirectory
Directory string
String
The user's home directory. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.
The user’s home directory will be created if:
The user will be given Full Control of the created directory.
homeDrive
Directory string
String
The drive letter (including the colon) that the home directory should be mapped to (for example, “Z:”). It should only be specified if homeDirectory is a UNC path.
homeMDB
DN string
String
The distinguished name of the message database (MDB) for this mailbox. It has a format similar to CN=Mailbox Store (SERVERNAME),CN=First Storage Group, CN=InformationStore,CN=SERVERNAME,CN=Servers, CN=First Administrative Group,CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com'
homeMTA
DN string
String
Points to the message transfer agent (MTA) that services this object. It has a format similar to CN=Microsoft MTA,CN=SERVERNAME,CN=Servers, CN=First Administrative Group,CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com
homePhone
Directory string
String
The user's main home phone number.
homePostalAddress
Directory string
String
A user's home address.
info
Directory string
String
The user's comments. This string can be a null string.
initials
Directory string
String
Contains the initials for parts of the user's full name.
internationalISDNNumber
Numeric string
String
Specifies an International ISDN number associated with an object.
ipPhone
Directory string
String
The TCP/IP address for the phone. Used by Telephony.
l
Directory string
String
Contains the locality, such as the town or city, in the user's address.
lastLogon
Interval
String
The last time the user logged on at a DC.
lastLogonTimestamp
Interval
String
The time that the user last logged into the domain. This value is only updated when the user logs in if a week has passed since the last update.
lastLogoff
Interval
String
The last time the user logged off.
legacyExchangeDN
Case ignore string
String
The distinguished name previously used by Exchange.
localeID
Integer
Int
This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location like France.
lockoutTime
Interval
String
The number of minutes to wait before resetting the invalid logon count.
logonCount
Integer
Int
The number of successful times the user tried to log on to this account. This property is maintained separately on each domain controller in the domain.
Directory string
String
One or more email addresses.
mailNickName
Directory string
String
Exchange nickname.
managedObjects
DN string
String
Contains the list of objects that are managed by the user.Set by the system. Read only.
manager
DN string
String
Directory name of the user's manager.
maxStorage
Large Integer
String
The maximum amount of disk space the user can use.
mDBOverHardQuotaLimit
Integer
String
The maximum mailbox size, in KB, over which sending and receiving mail is disabled.
mDBOverQuotaLimit
Integer
String
The mailbox quota overdraft limit, in KB.
mDBStorageQuota
Integer
String
The message database quota, in KB.
mDBUseDefaults
boolean
String
Indicates whether the store should use the default quota, rather than the per-mailbox quota.
mhsORAddress
Directory string
String
X.400 address.
middleName
Directory string
String
The user’s middle name.
mobile
Directory string
String
The primary cell phone number.
msCOM-PartitionSetLink
DN string
String
A link used to associate a COM+ Partition with a COM+ PartitionSet object. Read only.
msCOM-UserLink
DN string
String
A link used to associate a COM+ PartitionSet with a User object. Read only.
msCOM-UserPartitionSetLink
DN string
String
A link used to associate a User with a COM+ PartitionSet. Read only.
msDS-AllowedToDelegateTo
Directory string
String
Contains a list of Service Principal Names (SPN). This attribute is used to configure a service to be able to obtain service tickets usable for Constrained Delegation.
ms-DS-Approx-Immed-Subordinates
Integer
Int
The approximate number of subordinates for this user. Read only.
msDS-Cached-Membership-Time-Stamp
Interval
String
Used by the Security Accounts Manager for group expansion during token evaluation. Read only.
mS-DS-ConsistencyChildCount
Integer
Int
This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
msExchHomeServerName
DN string
String
The name of the Exchange server. It has a format similar to /o=EXCHANGEORG/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=SERVERNAME
ms-DS-KeyVersionNumber
Integer
Int
The Kerberos version number of the current key for this account. This is a constructed attribute. Read only.
ms-DS-Mastered-By
DN string
String
Back link for msDS-hasMasterNCs. Read only.
ms-DS-Members-For-Az-Role-BL
DN string
String
Back-link from member application group or user to Az-Role object(s) linking to it. Read only.
ms-DS-NC-Repl-Cursors
Directory string
String
A list of past and present replication partners, and how up to date we are with each of them. Read only.
ms-DS-NC-Repl-Inbound-Neighbors
Directory string
String
Replication partners for this partition. This server obtains replication data from these other servers, which act as sources. Read only.
ms-DS-NC-Repl-Outbound-Neighbors
Directory string
String
Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available. Read only.
ms-DS-Non-Members-BL
DN string
String
Back link from non-member group/user to Az group(s) linking to it. Read only.
ms-DS-Operations-For-Az-Role-BL
DN string
String
Back-link from Az-Operation to Az-Role object(s) linking to it. Read only.
ms-DS-Operations-For-Az-Task-BL
DN string
String
Back-link from Az-Operation to Az-Task object(s) linking to it. Read only.
ms-DS-Repl-Attribute-Meta-Data
Directory string
String
A list of metadata for each replicated attribute. Read only.
ms-DS-Repl-Value-Meta-Data
Directory string
String
A list of metadata for each value of an attribute. Read only.
ms-DS-Tasks-For-Az-Role-BL
DN string
String
Back-link from Az-Task to Az-Role object(s) linking to it. Read only.
ms-DS-Tasks-For-Az-Task-BL
DN string
String
Back-link from Az-Task to the Az-Task object(s) linking to it. Read only.
ms-DS-User-Account-Control-Computed
Integer
Int
A computed attribute to expose user password expired and user account locked out.
msExchMailboxSecurityDescriptor
String
(Octet)String
This attribute determines Exchange Mailbox rights for the user.
For more information, see Managing ACL Lists
ms-Exch-Owner-BL
DN string
String
The back-link to the owner attribute. Contains a list of owners for an object. Read only.
ms-IIS-FTP-Dir
Directory string
String
The user home directory relative to the file server share. It is used in conjunction with ms-IID-FTP-Root to determine the FTP user home directory.
ms-IIS-FTP-Root
Directory string
String
This attribute determines the file server share. It is used in conjunction with ms-IID-FTP-Dir to determine the FTP user home directory.
name
Directory string
String
The Relative Distinguished Name (RDN) of the user. Cannot be set directly. Read only. Set the RDN on create using the DN template or the accountId account attribute. Do not use “name” for the left-hand side of the schema map as it is a reserved attribute name.
networkAddress
Case ignore string
String
The TCP/IP address for a network segment.
nTSecurityDescriptor
String
(Octet)String
The NT security descriptor for the schema object.
For more information, see Managing ACL Lists.
o
Directory string
String
The name of the company or organization.
objectCategory
DN string
N/A
An object class name used to groups objects of this or derived classes.
Set by the system. Read-only.
objectClass
OID string
N/A
The list of classes from which this class is derived.
The value of this attribute should be set using the Object Class resource attribute. Read-only.
objectVersion
Integer
Int
A version number for the object.
operatorCount
Integer
Int
The number of operators on the computer.
otherFacsimileTelephoneNumber
Directory string
String
A list of alternate facsimile numbers.
otherHomePhone
Directory string
String
A list of alternate home phone numbers.
otherIpPhone
Directory string
String
The list of alternate TCP/IP addresses for the phone. Used by Telephony.
otherLoginWorkstations
Directory string
String
Non-NT or LAN Manager workstations from which a user can login.
otherMailbox
Directory string
String
Contains other additional mail addresses in a form such as CCMAIL: JohnDoe.
otherMobile
Directory string
String
Additional mobile phone numbers
otherPager
Directory string
String
Additional pager numbers
otherTelephone
Directory string
String
Additional telephone numbers
ou
Directory string
String
Organizational unit
outOfOfficeEnabled
Boolean
Boolean
Enables the out-of-office autoreply function
outOfOfficeMessage
String
String
The text of an out-of-office message.
pager
Directory string
String
Pager number
personalTitle
Directory string
String
User’s title
PasswordNeverExpires
Boolean
Boolean
Indicates whether the user’s password will expire.
physicalDeliveryOfficeName
Directory string
String
The office where deliveries are routed to.
postalAddress
Directory string
String
The office location in the user's place of business.
postalCode
Directory string
String
The postal or zip code for mail delivery.
postOfficeBox
Directory string
String
The P.O. Box number for this object.
preferredDeliveryMethod
Enumeration
String
The X.500. preferred way to deliver to addressee
preferredOU
DN string
String
The Organizational Unit to show by default on user' s desktop.
primaryGroupID
Integer
Int
If the user is not already a member of the group, then the promaryGroupID must be set in 2 steps: add the user to the group then set the primaryGroupId.
primaryInternationalISDNNumber
Directory string
String
The primary ISDN number.
primaryTelexNumber
Directory string
String
The primary telex number.
profilePath
Directory string
String
Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
proxyAddresses
string
String
A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects such as custom recipients and distribution lists.
pwdLastSet
Inteval
String
This attribute indicates the last time the user modified the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1601 (FILETIME). If this value is set to zero and the user account has the password never expires property set to false, then the user must set the password at the next logon.
revision
Integer
Int
The revision level for a security descriptor or other change. Read only.
rid
Integer
Int
The relative Identifier of an object. Read only.
sAMAccountName
Directory string
String
Login name.
sAMAccountType
Integer
Int
This attribute contains information about every account type object. Set by system. Read only.
scriptPath
Directory string
String
The path for the user's logon script. The string can be null.
seeAlso
DN string
String
DNs of related objects
serialNumber
Printable string
String
User’s serial number. Not used by Active Directory.
servicePrincipalName
Directory string
String
List of distinguished names that are related to an object.
showInAddressBook
DN string
String
This attribute is used to indicate which MAPI address books an object will appear in. It is normally maintained by the Exchange Recipient Update Service.
showInAdvancedViewOnly
Boolean
Boolean
True if this attribute is to be visible in the Advanced mode of the UI.
sn
Directory string
String
Family or last name
st
Directory string
String
State or province name
street
Directory string
String
Street address
Structural-Object-Class
OID String
String
Stores a list of classes contained in a class hierarchy, including abstract classes. Read only.
telephoneNumber
Directory string
String
Primary telephone number.
textEncodedORAddress
Directory string
String
Supports X.400 addresses in a text format.
title
Directory string
String
Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
userAccountControl
Integer
Int
Specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The flags are defined in LMACCESS.H.
userParameters
Directory string
String
Parameters of the user. Points to a Directory string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character.
userPassword
Octet string
Encrypted
The user's password in UTF-8 format. This is a write-only attribute.
userPrincipalName
Directory string
String
An Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user e-mail name.
userSharedFolder
Directory string
String
Specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.
userSharedFolderOther
Directory string
String
Specifies a UNC path to the user's additional shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.
userWorkstations
Directory string
String
NetBIOS or DNS names of computers user can log into, separated by commas.
usnChanged
LargeInteger
String
USN value assigned by the local directory for the latest change, including creation. Read only.
usnCreated
LargeInteger
String
USN-Changed value assigned at object creation.
USNIntersite
Integer
Int
The USN for inter-site replication.
uSNLastObjRem
LargeInteger
String
Indicates when the last object was removed from a server. Read only.
uSNSource
LargeInteger
String
Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.Read only.
WS_PasswordExpired
N/A
Boolean
Indicates whether to expire the user’s password.
WS_USER_PASSWORD
N/A
Encrypted
Contains the user password. See the Usage Notes for more information.
wbemPath
Directory string
String
References to objects in other ADSI namespaces.
whenChanged
Generalized time
String
The date when this object was last changed. Read only.
whenCreated
Generalized time
String
The date when this object was created. Read only.
wWWHomePage
Directory string
String
The user’s primary web page.
url
Directory string
String
A list of alternate web pages.
x121Address
Numeric string
String
The X.121 address for an object.
Managing ACL Lists
The nTSecurityDescriptor and the msExchMailboxSecurityDescriptor attribute values contain ACL lists that you must specify in a special way.
For example, the following shows a user form a company might use to assign a default set of permissions to each user they provision:
<Field name=’attributes[AD].nTSecurityDescriptor’ hidden=’true’> <Expansion>
<list>
<s>Domain Admins|983551|0|0|NULL|NULL</s>
<s>NT AUTHORITY\SYSTEM|983551|0|0|NULL|NULL</s>
<s>Account Operators|983551|0|0|NULL|NULL</s>
<s>NT AUTHORITY\Authenticated Users|131220|0|0|NULL|NULL</s> <s>NT AUTHORITY\Authenticated Users|256|5|0|
{AB721A55-1E2F-11D0-9819-00AA0040529B}|NULL</s><s>NT AUTHORITY\SELF|131220|0|0|NULL|NULL</s>
</list>
</Expansion>
</Field>
Here is a description of the preceding format:
Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType
Where:
- Trustee is the DOMAIN\Account of the user.
- Mask is a flag specifying access permissions (read, write, etc. ).
- aceType is a flag indicating the access-control entry (ACE) types.
- aceFlags is a flag specifying whether other containers or objects can inherit the ACE from the ACL owner.
- objectType is a flag indicating the ADSI object type. the objectType value is a GUID to a property or an object in string format.
- InheritedObjectType is a flag indicating the child object type of an ADSI object. The InheritedObjectType value is a GUID to an object in string format. When you set such a GUID, the ACE applies only to the object referred to by the GUID.
The following information (found in MSDN) is provided to help you further understand some of these fields:
- aceType:
ADS_ACETYPE_ACCESS_ALLOWED = 0,
ADS_ACETYPE_ACCESS_DENIED = 0x1,
ADS_ACETYPE_SYSTEM_AUDIT = 0x2,
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5,
ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6,
ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 0x7,
ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 0x8
ADS_ACETYPE_ACCESS_ALLOWED
Where:
- ADS_ACETYPE_ACCESS_ALLOWED: The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and InheritedObjectType fields are NULL.
- ADS_ACETYPE_ACCESS_DENIED: The ACE is of the standard system-audit type, where the ObjectType and InheritedObjectType fields are NULL.
- ADS_ACETYPE_SYSTEM_AUDIT: The ACE is of the standard system type, where the ObjectType and InheritedObjectType fields are NULL.
- ADS_ACETYPE_ACCESS_ALLOWED_OBJECT: On Windows 2000, ACE grants access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
- ADS_ACETYPE_ACCESS_DENIED_OBJECT: Windows 2000, ACE denies access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
- ADS_ACETYPE_SYSTEM_AUDIT_OBJECT: Windows 2000, ACE audits access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
- ADS_ACETYPE_SYSTEM_ALARM_OBJECT: Not used on Windows 2000/XP at this time.
- aceFlags
ADS_ACEFLAG_INHERIT_ACE = 0x2,
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4,
ADS_ACEFLAG_INHERIT_ONLY_ACE = 0x8,
ADS_ACEFLAG_INHERITED_ACE = 0x10,
ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1f,
ADS_ACEFLAG_SUCCESSFUL_ACCESS = 0x40,
Where:
- ADS_ACEFLAG_FAILED_ACCESS = 0x80 ADS_ACEFLAG_INHERIT_ACE: Indicates child objects that will inherit this access-control entry (ACE).
The inherited ACE is inheritable unless you set the ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag.
- ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: Causes the system to clear the ADS_ACEFLAG_INHERIT_ACE flag for the inherited ACEs of child objects, which prevents the ACE from being inherited by subsequent generations of objects.
- ADS_ACEFLAG_INHERIT_ONLY_ACE: Indicates an inherit-only ACE that does not exercise access control on the object to which it is attached.
If you do not set this flag, the ACE is an effective ACE that exerts access control on the object to which it is attached.
- ADS_ACEFLAG_INHERITED_ACE: Indicates whether the ACE was inherited. The system sets this bit.
- ADS_ACEFLAG_VALID_INHERIT_FLAGS: Indicates whether the inherited flags are valid. The system sets this bit.
- ADS_ACEFLAG_SUCCESSFUL_ACCESS: Generates audit messages for successful access attempts, used with ACEs that audit the system in a system access-control list (SACL).
- ADS_ACEFLAG_FAILED_ACCESS: Generates audit messages for failed access attempts, used with ACEs that audit the system in a SACL.
- objectType and InheritedObjectType: Specifies the GUID of other objects in the form:
{BF9679C0-0DE6-11D0-A285-00AA003049E2}
The object/attribute GUID is wrapped in brackets { }. This format is returned during a fetch. Within ADSI there are GUIDs to represent specific attributes to grant access and also a way to describe an inherited relationship.
For more detailed information, reference the following website:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dsportal/dsportal/
directory_services_portal.aspThe best method in which to find the correct string to pass down, is to do the following:
- Add the attribute to your schema, and then add the following field to your user form, as follows:
<Field name=’accounts[AD].nTSecurityDescriptor’>
<Display class=’TextArea’>
<Property name=’title’ value=’NT User Security Descriptor’/> <Property name=’rows’ value=’20’/>
<Property name=’columns’ value=’100’/>
</Display>
</Field>
or
<Field name=’accounts[AD].msExchMailboxSecurityDescriptor’> <Display class=’TextArea’>
<Property name=’title’ value=’Mailbox Security Descriptor’/>
<Property name=’rows’ value=’20’/>
<Property name=’columns’ value=’100’/>
</Display>
</Field>
- Edit a user’s object in Active Directory and set the corresponding ACL lists for all users to establish a baseline.
- Edit the user in Identity Manager and on the Edit user form.
You should see a text area with the corresponding values, which have been pulled from the user object in Active Directory.
Using the preceding method will help you determine which values you must add to the form, for the settings you want.
Unsupported Attributes
The following table lists the account attributes that are not supported by Identity Manager:
Resource Object Management
Identity Manager supports the following Active Directory objects:
The attributes that can be managed on resource objects are also generally dictated by the attribute syntaxes. The attributes for these object types are similar as those for user accounts and are supported accordingly.
Identity Template
Windows Active Directory is a hierarchically based resource. The identity template will provide the default location in the directory tree where the user will be created. The default identity template is
CN=$fullname$,CN=Users,DC=mydomain,DC=com
The default template must be replaced with a valid value.
Sample Forms
This section lists the sample forms provided for the Active Directory resource adapter.
Built-In
- ActiveDirectory ActiveSync Form
- Windows Active Directory Create Container Form
- Windows Active Directory Create Group Form
- Windows Active Directory Create Organizational Unit Form
- Windows Active Directory Create Person Form
- Windows Active Directory Create User Form
- Windows Active Directory Update Container Form
- Windows Active Directory Update Group Form
- Windows Active Directory Update Organizational Unit Form
- Windows Active Directory Update Person Form
- Windows Active Directory Update User Form
Also Available
ADUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.ADSIResourceAdapter
In addition, tracing can be enabled on the Gateway service via the Identity Manager debug pages. (InstallDir\idm\debug\Gateway.jsp). This page allows you to specify the level of trace, location of the trace file, and the maximum size of the trace file. This page also allows you to remotely retrieve the gateway trace file and display the version information for the Gateway.
The Gateway service may also be started from the console with debug tracing via various command line switches. Use -h to review the usage for the Gateway service.