Previous      Contents      Next
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3

---

Active Directory

The following resource adapters support Windows Active Directory 2000 SP3 and later and Windows Active Directory 2003:

GUI Name	Class Name
Windows 2000 / Active Directory	com.waveset.adapter.ADSIResourceAdapter
Windows 2000 / Active Directory Active Sync	com.waveset.adapter.ActiveDirectoryActiveSyncAdapter

The Windows 2000 / Active Directory resource adapter is defined in the com.waveset.adapter.ADSIResourceAdapter class.

This adapter supports the following versions:

Windows Active Directory 2000 SP3
Windows Active Directory 2003

---

Note  The Windows 2000 / Active Directory Active Sync adapter (com.waveset.adapter.ActiveDirectoryActiveSyncAdapter has been deprecated as of Identity Manager 5.0 SP1. All features in this adapter are now in the Windows 2000/ Active Directory adapter. Although existing instances of the Active Sync adapter will still function, new instances of these can no longer be created.

---

Resource Configuration Notes

This section provides instructions for configuring the following Active Directory resources for use with Identity Manager, including the following:

Sun Identity Manager Gateway Location
Sun Identity Manager Gateway Service Account
Out of Office Messages

Sun Identity Manager Gateway Location

The Gateway system should be running Windows 2000 or later. Although it might be possible to manage Active Directory (AD) from a Gateway system running Windows NT with the Active Directory Client Extension installed, this is not recommended.

Unless the LDAP Hostname resource attribute is set, the Gateway will perform a serverless bind to the directory. In order for the serverless bind to work, the Gateway needs to be installed on a system that is in a domain and that “knows” about the domain/directory to be managed. Generally, if the Gateway is in a domain that is in the same forest as the domain to be managed, or there is a trust relationship between the domains, then the serverless bind will succeed.

The LDAP Hostname resource attribute tells the Gateway to bind to a particular DNS hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname does not necessarily have to specify a specific domain controller. The DNS name of an AD domain can be used. If the Gateway system's DNS server is configured to return multiple IP addresses for that DNS name, then one of them will be used for the directory bind. This avoids having to rely on a single domain controller.

Sun Identity Manager Gateway Service Account

By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.

If you run the Gateway as an account other than Local System, then Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the Gateway service account. This means that the Gateway service account must have the appropriate permissions to perform these operations. Currently, these operations are:

Creating home directories
Running actions (including before and after actions)

The Authentication Timeout resource attribute (provided for pass-through authentication only) prevents the adapter from hanging if a problem occurs on the Gateway side.

Out of Office Messages

The outOfOfficeEnabled and outofOfficeMessage account attributes can be used to enable the out of office autoreply function and set the out-of-office message, respectively. These can be used for Exchange 200x accounts. These attributes are only set on account updates and not account creates.

The adapter requires that the Messaging Application Programming Interface (MAPI) be installed on the gateway machine. There are at least two ways to install the MAPI subsystem. The simplest way is to install the Microsoft Outlook client on the gateway machine. No other configuration is necessary.

Another way is to install the Exchange System Management Tools, which are located on the Exchange Server CD. The management tools are installed as a component of the normal Exchange Server install. However, this installs the MAPI subsystem files, but it does not complete the configuration.

The mapisvc.inf file (typically located in c:\winnt\system32) contains the available MAPI services, and it must be updated to include the Exchange message service entries. The msems.inf file, which is contained in the gateway zip file, contains the entries that need to be merged into the mapisvc.inf file to configure the Exchange message server. The msems.inf file can be merged into the mapisvc.inf file manually using a text file editor such as notepad. Alternatively, a tool named MergeIni.exe is available on the Microsoft Platform SDK and can be found in the Windows Core SDK in the Microsoft SDK\Bin directory.

Use the following command to run MergeIni:

MergeIni msems.inf -m

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

This section lists dependencies and limitations related to using the Active Directory resource adapter, including:

Checking Password History
Supporting Microsoft Exchange Servers
Configuring Active Sync

Checking Password History

To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. This functionality is enabled on an AD resource by setting the User Provides Password On Change resource attribute to 1 and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.

The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of a resource adapter using Active Sync. ResourceName must be replaced with the name of the Resource object.

Supporting Microsoft Exchange Servers

To support Microsoft Exchange Server 2000 and later, the following account attributes must be enabled:

homeMDB
homeMTA
mailNickname
msExchHomeServerName

The following account attributes are displayed in the schema map by default and are also used for managing Exchange accounts:

garbageCollPeriod
mDBOverHardQuotaLimit
mDBOverQuotaLimit
mDBStorageQuota
mDBUseDefaults

If your Active Directory resource is not being used to manage Exchange Server attributes, then you must remove these attributes from the schema map for these adapters to successfully provision Active Directory accounts with Identity Manager.

The Active Directory adapter can be modified to support printer, computer, or other Active Directory objects. The following example illustrates how to modify the XML code in the appropriate Java class to support printer objects.

<ObjectType name='Printer' icon='group'>

   <ObjectClasses operator='AND'>

      <ObjectClass name='printQueue'/>

   </ObjectClasses>

   <ObjectFeatures>

      <ObjectFeature name='create'/>

      <ObjectFeature name='update'/>

      <ObjectFeature name='delete'/>

   </ObjectFeatures>

   <ObjectAttributes idAttr='distinguishedName' displayNameAttr='cn' descriptionAttr='description'>

      <ObjectAttribute name='cn' type='string'/>

      <ObjectAttribute name='description' type='string'/>

      <ObjectAttribute name='managedby' type='string'/>

      <ObjectAttribute name='distinguishedName' type='string'/>

   </ObjectAttributes>

</ObjectType>

In addition, you must create at least one new form to support printer objects.

The Windows Active Directory resource can manage Exchange 2000 contacts by changing the object class to contact and removing the password, accountId, and expirePassword resource attributes.

Configuring Active Sync

Before Identity Manager 5.5, if the Process deletes as updates check box was selected, Identity Manager would disable a deleted Identity Manager user as well as all resource accounts and mark the user for later deletion. By default, this check box was selected. In Identity Manager 5.5 and beyond, this functionality is configured by setting the Delete Rule set to None.

If the checkbox was previously deselected, then the Delete Rule will be set to ActiveSync has isDeleted set.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

The recommended approach for connecting to an Active Directory resource is with the Gateway service. The Gateway service uses ADSI and a TCP/IP socket connection (3 DES) for exchanging password information on the network.

You can also use LDAP over SSL or TCP/IP to connect to the Active Directory server. In this scenario, use the LDAP resource adapter.

Required Administrative Privileges

This section describes Active Directory permission and reset password permission requirements.

Active Directory Permissions

The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.

Identity Manager Functionality	Active Directory Permissions
Create Active Directory User accounts	Create User Objects To create the account enabled, you must have the ability to Read/Write the userAccountControl property. To create with the password expired, you must be able to Read/Write the Account Restrictions property set (includes the userAccountControl property).
Delete Active Directory User accounts	Delete User Objects
Update Active Directory User accounts	Read All Properties   Write All Properties Note: If only a subset of the properties are to managed from Identity Manager, then Read/Write access can be given to just those properties.
Change/Reset AD User account passwords Unlock AD User accounts Expire AD User accounts	User Object permissions:   List Contents   Read All Properties   Read Permissions   Change Password   Reset Password User Property permissions:   Read/Write lockoutTime Property   Read/Write Account Restrictions Property set   Read accountExpires Property To set permissions for the lockoutTime property, you should use the cacls.exe program available in the Windows 2000 Server resource kit.

Reset Password

The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.

Pass-Thru Authentication

To support Active Directory (AD) pass-thru authentication:

When configuring the Gateway to run as a user, that user account must have the “Act As Operating System” and “Bypass Traverse Checking” user rights. By default, the Gateway runs as the Local System account, which should already have these rights. Also, the “Bypass Traverse Checking” user right is enabled for all users by default.

---

Note  If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the Gateway.

---

Accounts being authenticated must have “Access This Computer From The Network” user rights on the Gateway system.

The Gateway uses the LogonUser function with the LOGON32_LOGON_NETWORK
log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform
pass-thru authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.

Accessing Deleted Objects

The administrative account must have access to the Deleted Objects container in the active directory. By default, only Administrators and the System account have access to this container. Other users can be granted access to this container. For information on granting access to the Deleted Objects container, see Microsoft Knowledge Base article 892806.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	Yes Note: The Authentication Timeout resource attribute (provided for pass-through authentication only) prevents the Active Directory adapter from hanging if a problem occurs on the Gateway side.
Before/after actions	Yes. The Active Directory resource supports before and after actions, which use batch scripts to perform activities on the Active Directory gateway system during a user create, update, or delete request. See Chapter 3, "Adding Actions to Resources," for more information.
Data loading methods	Import directly from resource   Reconcile with resource   Active Sync

Account Attributes

The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports boolean, string, and integer syntaxes. Binary strings and similar syntaxes are not supported.

Attribute Syntax Support

This section provides information about supported and unsupported account syntaxes.

Supported Syntaxes

The following table lists the Active Directory syntax supported by Identity Manager:

AD Syntax	Identity Manager Syntax	Syntax ID	OM ID	ADS Type
Boolean	Boolean	2.5.5.8	1	ADSTYPE_BOOLEAN
Enumeration	String	2.5.5.9	10	ADSTYPE_INTEGER
Integer	Int	2.5.5.9	2	ADSTYPE_INTEGER
DN String	String	2.5.5.1	127	ADSTYPE_DN_STRING
Presentation Address	String	2.5.5.13	127	ADSTYPE_CASE_IGNORE_STRING
IA5 String	String	2.5.5.5	22	ADSTYPE_PRINTABLE_STRING
Printable String	String	2.5.5.5	19	ADSTYPE_PRINTABLE_STRING
Numeric String	String	2.5.5.6	18	ADSTYPE_NUMERIC_STRING
OID String	String	2.5.5.2	6	ADSTYPE_CASE_IGNORE_STRING
Case Ignore String (teletex)	String	2.5.5.4	20	ADSTYPE_CASE_IGNORE_STRING
Unicode String	String	2.5.5.12	64	ADSTYPE_OCTET_STRING
Interval	String	2.5.5.16	65	ADSTYPE_LARGE_INTEGER
LargeInteger	String	2.5.5.16	65	ADSTYPE_LARGE_INTEGER

Unsupported Syntaxes

The following table lists the Active Directory syntaxes that are not supported by Identity Manager:

Syntax	Syntax ID	OM ID	ADS Type
DN with Unicode string	2.5.5.14	127	ADSTYPE_DN_WITH_STRING
DN with binary	2.5.5.7	127	ADSTYPE_DN_WITH_BINARY
OR-Name	2.5.5.7	127	ADSTYPE_DN_WITH_BINARY
Replica Link	2.5.5.10	127	ADSTYPE_OCTET_STRING
NT Security Descriptor	2.5.5.15	66	ADSTYPE_NT_SECURITY_DESCRIPTOR
Octet String	2.5.5.10	4	ADSTYPE_OCTET_STRING
SID String	2.5.5.17	4	ADSTYPE_OCTET_STRING
UTC Time String	2.5.5.11	23	ADSTYPE_UTC_TIME
Object(Access-Point)	2.5.5.14	127	n/a

Account Attribute Support

This section provides information about the Active Directory account attributes that are supported and those not supported by Identity Manager.

Supported Account Attributes

The following table lists the account attributes supported by Identity Manager:

Schema Name	AD Syntax	Attribute Type	Description
accountExpires	Interval	String	The date when the user's account expires.
AccountLocked	N/A	Boolean	Whether or not an account is locked out. Cannot be set to true; only the Windows system can set to true.
accountNameHistory	Directory string	String	The length of time that the account has been active. Read-only
aCSPolicyName	Directory string	String	String name of an ACS policy that applies to this user.
adminCount	Integer	String	Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).Set by system. Read-only.
adminDescription	Directory string	String	The description displayed on admin screens.
adminDisplayName	Directory string	String	The name to be displayed on admin screens.
altSecurityIdentities	Directory string	String	Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
assistant	DN string	String	The distinguished name of a user's administrative assistant.
badPasswordTime	Interval	String	The last time the user tried to log onto the account using an incorrect password.
badPwdCnt	Integer	String	Read-only. Number of login attempts with incorrect password. The value may only be for those logins that failed at the domain controller that is being queried.
businessCategory	Directory string	String	Describes the kind of business performed by an organization.
c	Directory string	String	The two-character country code in the address of the user.
cn	Directory string	String	Common Name. This attribute is set from the CN value in the DN. Read-only.
co	Directory string	String	Text-Country (country name)
company	Directory string	String	The user's company name.
codePage	Integer	Int	Specifies the code page for the user's language of choice.
countryCode	Integer	String	Specifies the country code for the user's language of choice.
defaultClassStore	DN string	String	The default Class Store for a given user.
department	Directory string	String	Contains the name for the department in which the user works.
description	Directory string	String	Contains the description to display for an object. This value is treated as single-valued by the system.
desktopProfile	Directory string	String	The location of the desktop profile for a user or group of users.
destinationIndicator	Printable string	String	Not used by Active Directory.
displayName	Directory string	String	The name displayed in the address book for a particular user. This is usually the combination of the user’s first name, middle initial, and last name.
displayNamePrintable	Printable string	String	Printable version of the displayName.
distinguishedName	DN string	String	Cannot be set directly. Read only. Set the DN on create using the DN template or the accountId account attribute.
division	Directory string	String	The user's division.
dynamicLDAPServer	DN string	String	DNS name of server handing dynamic properties for this account.
employeeID	Directory string	String	The ID of an employee.
extensionName	Directory string	String	The name of a property page used to extend the UI of a directory object.
facsimileTelephoneNumber	Directory string	String	Contains telephone number of the user's business fax machine.
flags	Integer	Int	To be used by the object to store bit information.
garbageCollPeriod	Integer	Int	This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the period in hours between DS garbage collection runs.
generationQualifier	Directory string	String	Indicates a person’s generation. For example, Jr. or II.
givenName	Directory string	String	Contains the given name (first name) of the user.
groupPriority	Directory string	String	Not used
groups	Directory string	String	Windows security and distribution groups
groupsToIgnore	Directory string	String	Not used
homeDirectory	Directory string	String	The user's home directory. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string. The user’s home directory will be created if: The value is a UNC path that is not a share name (it specifies a directory on a share) Any and all parent directories exist The Create Home Directory resource attribute is set to 1 The user that the gateway service is running as must have permission to create the directory The user will be given Full Control of the created directory.
homeDrive	Directory string	String	The drive letter (including the colon) that the home directory should be mapped to (for example, “Z:”). It should only be specified if homeDirectory is a UNC path.
homeMDB	DN string	String	The distinguished name of the message database (MDB) for this mailbox. It has a format similar to CN=Mailbox Store (SERVERNAME),CN=First Storage Group, CN=InformationStore,CN=SERVERNAME,CN=Servers, CN=First Administrative Group,CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com'
homeMTA	DN string	String	Points to the message transfer agent (MTA) that services this object. It has a format similar to CN=Microsoft MTA,CN=SERVERNAME,CN=Servers, CN=First Administrative Group,CN=Administrative Groups, CN=EXCHANGE ORG, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN, DC=YOURCOMPANY,DC=com
homePhone	Directory string	String	The user's main home phone number.
homePostalAddress	Directory string	String	A user's home address.
info	Directory string	String	The user's comments. This string can be a null string.
initials	Directory string	String	Contains the initials for parts of the user's full name.
internationalISDNNumber	Numeric string	String	Specifies an International ISDN number associated with an object.
ipPhone	Directory string	String	The TCP/IP address for the phone. Used by Telephony.
l	Directory string	String	Contains the locality, such as the town or city, in the user's address.
lastLogon	Interval	String	The last time the user logged on at a DC.
lastLogonTimestamp	Interval	String	The time that the user last logged into the domain. This value is only updated when the user logs in if a week has passed since the last update.
lastLogoff	Interval	String	The last time the user logged off.
legacyExchangeDN	Case ignore string	String	The distinguished name previously used by Exchange.
localeID	Integer	Int	This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location like France.
lockoutTime	Interval	String	The number of minutes to wait before resetting the invalid logon count.
logonCount	Integer	Int	The number of successful times the user tried to log on to this account. This property is maintained separately on each domain controller in the domain.
mail	Directory string	String	One or more email addresses.
mailNickName	Directory string	String	Exchange nickname.
managedObjects	DN string	String	Contains the list of objects that are managed by the user.Set by the system. Read only.
manager	DN string	String	Directory name of the user's manager.
maxStorage	Large Integer	String	The maximum amount of disk space the user can use.
mDBOverHardQuotaLimit	Integer	String	The maximum mailbox size, in KB, over which sending and receiving mail is disabled.
mDBOverQuotaLimit	Integer	String	The mailbox quota overdraft limit, in KB.
mDBStorageQuota	Integer	String	The message database quota, in KB.
mDBUseDefaults	boolean	String	Indicates whether the store should use the default quota, rather than the per-mailbox quota.
mhsORAddress	Directory string	String	X.400 address.
middleName	Directory string	String	The user’s middle name.
mobile	Directory string	String	The primary cell phone number.
msCOM-PartitionSetLink	DN string	String	A link used to associate a COM+ Partition with a COM+ PartitionSet object. Read only.
msCOM-UserLink	DN string	String	A link used to associate a COM+ PartitionSet with a User object. Read only.
msCOM-UserPartitionSetLink	DN string	String	A link used to associate a User with a COM+ PartitionSet. Read only.
msDS-AllowedToDelegateTo	Directory string	String	Contains a list of Service Principal Names (SPN). This attribute is used to configure a service to be able to obtain service tickets usable for Constrained Delegation.
ms-DS-Approx-Immed-Subordinates	Integer	Int	The approximate number of subordinates for this user. Read only.
msDS-Cached-Membership-Time-Stamp	Interval	String	Used by the Security Accounts Manager for group expansion during token evaluation. Read only.
mS-DS-ConsistencyChildCount	Integer	Int	This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
msExchHomeServerName	DN string	String	The name of the Exchange server. It has a format similar to /o=EXCHANGEORG/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=SERVERNAME
ms-DS-KeyVersionNumber	Integer	Int	The Kerberos version number of the current key for this account. This is a constructed attribute. Read only.
ms-DS-Mastered-By	DN string	String	Back link for msDS-hasMasterNCs. Read only.
ms-DS-Members-For-Az-Role-BL	DN string	String	Back-link from member application group or user to Az-Role object(s) linking to it. Read only.
ms-DS-NC-Repl-Cursors	Directory string	String	A list of past and present replication partners, and how up to date we are with each of them. Read only.
ms-DS-NC-Repl-Inbound-Neighbors	Directory string	String	Replication partners for this partition. This server obtains replication data from these other servers, which act as sources. Read only.
ms-DS-NC-Repl-Outbound-Neighbors	Directory string	String	Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available. Read only.
ms-DS-Non-Members-BL	DN string	String	Back link from non-member group/user to Az group(s) linking to it. Read only.
ms-DS-Operations-For-Az-Role-BL	DN string	String	Back-link from Az-Operation to Az-Role object(s) linking to it. Read only.
ms-DS-Operations-For-Az-Task-BL	DN string	String	Back-link from Az-Operation to Az-Task object(s) linking to it. Read only.
ms-DS-Repl-Attribute-Meta-Data	Directory string	String	A list of metadata for each replicated attribute. Read only.
ms-DS-Repl-Value-Meta-Data	Directory string	String	A list of metadata for each value of an attribute. Read only.
ms-DS-Tasks-For-Az-Role-BL	DN string	String	Back-link from Az-Task to Az-Role object(s) linking to it. Read only.
ms-DS-Tasks-For-Az-Task-BL	DN string	String	Back-link from Az-Task to the Az-Task object(s) linking to it. Read only.
ms-DS-User-Account-Control-Computed	Integer	Int	A computed attribute to expose user password expired and user account locked out.
msExchMailboxSecurityDescriptor	String (Octet)	String	This attribute determines Exchange Mailbox rights for the user. For more information, see Managing ACL Lists
ms-Exch-Owner-BL	DN string	String	The back-link to the owner attribute. Contains a list of owners for an object. Read only.
ms-IIS-FTP-Dir	Directory string	String	The user home directory relative to the file server share. It is used in conjunction with ms-IID-FTP-Root to determine the FTP user home directory.
ms-IIS-FTP-Root	Directory string	String	This attribute determines the file server share. It is used in conjunction with ms-IID-FTP-Dir to determine the FTP user home directory.
name	Directory string	String	The Relative Distinguished Name (RDN) of the user. Cannot be set directly. Read only. Set the RDN on create using the DN template or the accountId account attribute. Do not use “name” for the left-hand side of the schema map as it is a reserved attribute name.
networkAddress	Case ignore string	String	The TCP/IP address for a network segment.
nTSecurityDescriptor	String (Octet)	String	The NT security descriptor for the schema object. For more information, see Managing ACL Lists.
o	Directory string	String	The name of the company or organization.
objectCategory	DN string	N/A	An object class name used to groups objects of this or derived classes. Set by the system. Read-only.
objectClass	OID string	N/A	The list of classes from which this class is derived. The value of this attribute should be set using the Object Class resource attribute. Read-only.
objectVersion	Integer	Int	A version number for the object.
operatorCount	Integer	Int	The number of operators on the computer.
otherFacsimileTelephoneNumber	Directory string	String	A list of alternate facsimile numbers.
otherHomePhone	Directory string	String	A list of alternate home phone numbers.
otherIpPhone	Directory string	String	The list of alternate TCP/IP addresses for the phone. Used by Telephony.
otherLoginWorkstations	Directory string	String	Non-NT or LAN Manager workstations from which a user can login.
otherMailbox	Directory string	String	Contains other additional mail addresses in a form such as CCMAIL: JohnDoe.
otherMobile	Directory string	String	Additional mobile phone numbers
otherPager	Directory string	String	Additional pager numbers
otherTelephone	Directory string	String	Additional telephone numbers
ou	Directory string	String	Organizational unit
outOfOfficeEnabled	Boolean	Boolean	Enables the out-of-office autoreply function
outOfOfficeMessage	String	String	The text of an out-of-office message.
pager	Directory string	String	Pager number
personalTitle	Directory string	String	User’s title
PasswordNeverExpires	Boolean	Boolean	Indicates whether the user’s password will expire.
physicalDeliveryOfficeName	Directory string	String	The office where deliveries are routed to.
postalAddress	Directory string	String	The office location in the user's place of business.
postalCode	Directory string	String	The postal or zip code for mail delivery.
postOfficeBox	Directory string	String	The P.O. Box number for this object.
preferredDeliveryMethod	Enumeration	String	The X.500. preferred way to deliver to addressee
preferredOU	DN string	String	The Organizational Unit to show by default on user' s desktop.
primaryGroupID	Integer	Int	If the user is not already a member of the group, then the promaryGroupID must be set in 2 steps: add the user to the group then set the primaryGroupId.
primaryInternationalISDNNumber	Directory string	String	The primary ISDN number.
primaryTelexNumber	Directory string	String	The primary telex number.
profilePath	Directory string	String	Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
proxyAddresses	string	String	A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects such as custom recipients and distribution lists.
pwdLastSet	Inteval	String	This attribute indicates the last time the user modified the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1601 (FILETIME). If this value is set to zero and the user account has the password never expires property set to false, then the user must set the password at the next logon.
revision	Integer	Int	The revision level for a security descriptor or other change. Read only.
rid	Integer	Int	The relative Identifier of an object. Read only.
sAMAccountName	Directory string	String	Login name.
sAMAccountType	Integer	Int	This attribute contains information about every account type object. Set by system. Read only.
scriptPath	Directory string	String	The path for the user's logon script. The string can be null.
seeAlso	DN string	String	DNs of related objects
serialNumber	Printable string	String	User’s serial number. Not used by Active Directory.
servicePrincipalName	Directory string	String	List of distinguished names that are related to an object.
showInAddressBook	DN string	String	This attribute is used to indicate which MAPI address books an object will appear in. It is normally maintained by the Exchange Recipient Update Service.
showInAdvancedViewOnly	Boolean	Boolean	True if this attribute is to be visible in the Advanced mode of the UI.
sn	Directory string	String	Family or last name
st	Directory string	String	State or province name
street	Directory string	String	Street address
Structural-Object-Class	OID String	String	Stores a list of classes contained in a class hierarchy, including abstract classes. Read only.
telephoneNumber	Directory string	String	Primary telephone number.
textEncodedORAddress	Directory string	String	Supports X.400 addresses in a text format.
title	Directory string	String	Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
userAccountControl	Integer	Int	Specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The flags are defined in LMACCESS.H.
userParameters	Directory string	String	Parameters of the user. Points to a Directory string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character.
userPassword	Octet string	Encrypted	The user's password in UTF-8 format. This is a write-only attribute.
userPrincipalName	Directory string	String	An Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user e-mail name.
userSharedFolder	Directory string	String	Specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.
userSharedFolderOther	Directory string	String	Specifies a UNC path to the user's additional shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.
userWorkstations	Directory string	String	NetBIOS or DNS names of computers user can log into, separated by commas.
usnChanged	LargeInteger	String	USN value assigned by the local directory for the latest change, including creation. Read only.
usnCreated	LargeInteger	String	USN-Changed value assigned at object creation.
USNIntersite	Integer	Int	The USN for inter-site replication.
uSNLastObjRem	LargeInteger	String	Indicates when the last object was removed from a server. Read only.
uSNSource	LargeInteger	String	Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.Read only.
WS_PasswordExpired	N/A	Boolean	Indicates whether to expire the user’s password.
WS_USER_PASSWORD	N/A	Encrypted	Contains the user password. See the Usage Notes for more information.
wbemPath	Directory string	String	References to objects in other ADSI namespaces.
whenChanged	Generalized time	String	The date when this object was last changed. Read only.
whenCreated	Generalized time	String	The date when this object was created. Read only.
wWWHomePage	Directory string	String	The user’s primary web page.
url	Directory string	String	A list of alternate web pages.
x121Address	Numeric string	String	The X.121 address for an object.

Managing ACL Lists

The nTSecurityDescriptor and the msExchMailboxSecurityDescriptor attribute values contain ACL lists that you must specify in a special way.

For example, the following shows a user form a company might use to assign a default set of permissions to each user they provision:

<Field name=’attributes[AD].nTSecurityDescriptor’ hidden=’true’>   <Expansion>

      <list>

        <s>Domain Admins|983551|0|0|NULL|NULL</s>

        <s>NT AUTHORITY\SYSTEM|983551|0|0|NULL|NULL</s>

        <s>Account Operators|983551|0|0|NULL|NULL</s>

        <s>NT AUTHORITY\Authenticated Users|131220|0|0|NULL|NULL</s>         <s>NT AUTHORITY\Authenticated Users|256|5|0|
{AB721A55-1E2F-11D0-9819-00AA0040529B}|NULL</s>

        <s>NT AUTHORITY\SELF|131220|0|0|NULL|NULL</s>

     </list>

  </Expansion>

</Field>

Here is a description of the preceding format:

Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType

Where:

Trustee is the DOMAIN\Account of the user.
Mask is a flag specifying access permissions (read, write, etc. ).
aceType is a flag indicating the access-control entry (ACE) types.
aceFlags is a flag specifying whether other containers or objects can inherit the ACE from the ACL owner.
objectType is a flag indicating the ADSI object type. the objectType value is a GUID to a property or an object in string format.
The GUID refers to a property when you use ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE_PROP access masks.
The GUID specifies an object when you use ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD access masks.
InheritedObjectType is a flag indicating the child object type of an ADSI object. The InheritedObjectType value is a GUID to an object in string format. When you set such a GUID, the ACE applies only to the object referred to by the GUID.

The following information (found in MSDN) is provided to help you further understand some of these fields:

aceType:

ADS_ACETYPE_ACCESS_ALLOWED = 0,

ADS_ACETYPE_ACCESS_DENIED = 0x1,

ADS_ACETYPE_SYSTEM_AUDIT = 0x2,

ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5,

ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6,

ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 0x7,

ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 0x8

ADS_ACETYPE_ACCESS_ALLOWED


Where:

ADS_ACETYPE_ACCESS_ALLOWED: The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_ACCESS_DENIED: The ACE is of the standard system-audit type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_SYSTEM_AUDIT: The ACE is of the standard system type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT: On Windows 2000, ACE grants access to an object or a subobject of the object, such as a property set or property.

ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.

ADS_ACETYPE_ACCESS_DENIED_OBJECT: Windows 2000, ACE denies access to an object or a subobject of the object, such as a property set or property.

ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.

ADS_ACETYPE_SYSTEM_AUDIT_OBJECT: Windows 2000, ACE audits access to an object or a subobject of the object, such as a property set or property.

ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.

ADS_ACETYPE_SYSTEM_ALARM_OBJECT: Not used on Windows 2000/XP at this time.
aceFlags

ADS_ACEFLAG_INHERIT_ACE = 0x2,

ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4,

ADS_ACEFLAG_INHERIT_ONLY_ACE = 0x8,

ADS_ACEFLAG_INHERITED_ACE = 0x10,

ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1f,

ADS_ACEFLAG_SUCCESSFUL_ACCESS = 0x40,


Where:

ADS_ACEFLAG_FAILED_ACCESS = 0x80 ADS_ACEFLAG_INHERIT_ACE: Indicates child objects that will inherit this access-control entry (ACE).

The inherited ACE is inheritable unless you set the ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag.

ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: Causes the system to clear the ADS_ACEFLAG_INHERIT_ACE flag for the inherited ACEs of child objects, which prevents the ACE from being inherited by subsequent generations of objects.
ADS_ACEFLAG_INHERIT_ONLY_ACE: Indicates an inherit-only ACE that does not exercise access control on the object to which it is attached.

If you do not set this flag, the ACE is an effective ACE that exerts access control on the object to which it is attached.

ADS_ACEFLAG_INHERITED_ACE: Indicates whether the ACE was inherited. The system sets this bit.
ADS_ACEFLAG_VALID_INHERIT_FLAGS: Indicates whether the inherited flags are valid. The system sets this bit.
ADS_ACEFLAG_SUCCESSFUL_ACCESS: Generates audit messages for successful access attempts, used with ACEs that audit the system in a system access-control list (SACL).
ADS_ACEFLAG_FAILED_ACCESS: Generates audit messages for failed access attempts, used with ACEs that audit the system in a SACL.
objectType and InheritedObjectType: Specifies the GUID of other objects in the form:

{BF9679C0-0DE6-11D0-A285-00AA003049E2}

The object/attribute GUID is wrapped in brackets { }. This format is returned during a fetch. Within ADSI there are GUIDs to represent specific attributes to grant access and also a way to describe an inherited relationship.

For more detailed information, reference the following website:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dsportal/dsportal/
directory_services_portal.asp

The best method in which to find the correct string to pass down, is to do the following:

Add the attribute to your schema, and then add the following field to your user form, as follows:

<Field name=’accounts[AD].nTSecurityDescriptor’>

  <Display class=’TextArea’>

    <Property name=’title’ value=’NT User Security Descriptor’/>     <Property name=’rows’ value=’20’/>

    <Property name=’columns’ value=’100’/>

  </Display>

</Field>

or

<Field name=’accounts[AD].msExchMailboxSecurityDescriptor’>   <Display class=’TextArea’>

    <Property name=’title’ value=’Mailbox Security Descriptor’/>

    <Property name=’rows’ value=’20’/>

    <Property name=’columns’ value=’100’/>

  </Display>

</Field>

Edit a user’s object in Active Directory and set the corresponding ACL lists for all users to establish a baseline.
Edit the user in Identity Manager and on the Edit user form.

You should see a text area with the corresponding values, which have been pulled from the user object in Active Directory.

Using the preceding method will help you determine which values you must add to the form, for the settings you want.

Unsupported Attributes

The following table lists the account attributes that are not supported by Identity Manager:

Schema Name	Notes
allowedAttributes	Operational attribute
allowedAttributesEffective	Operational attribute
allowedChildClasses	Operational attribute
alowedChildClassesEffective	Operational attribute
bridgeheadServerListBL	System usage.
canonicalName	Operational attribute
controlAccessRights	String(Octet)
createTimeStamp	String(UTC-Time)
dBCSPwd	String(Octet)
directReports	System usage. Set using the manager attribute of the users that are managed by this user.
dSASignature	Object(Replica-Link)
dSCorePropagationData	String(UTC-Time)
fromEntry	Operational attribute
frsComputerReferenceBL	System usage
fRSMemberReferenceBL	System usage
fSMORoleOwner	System usage
groupMembershipSAM	String(Octet)
instanceType	System usage
isCriticalSystemObject	System usage
isDeleted	System usage
isPrivilegeHolder	System usage
lastKnownParent	System usage
lmPwdHistory	String(Octet)
logonHours	String(Octet)
logonWorkstations	String(Octet)
masteredBy	System usage.
memberOf	System usage. Use the “groups” attribute.
modifyTimeStamp	String(UTC-Time)
MS-DRM-Identity-Certificate	String(Octet)
ms-DS-Cached-Membership	String(Octet)
mS-DS-ConsistencyGuid	String(Octet)
mS-DS-CreatorSID	String(Sid)
ms-DS-Site-Affinity	String(Octet)
mSMQDigests	String(Octet)
mSMQDigestsMig	String(Octet)
mSMQSignCertificates	String(Octet)
mSMQSignCertificatesMig	String(Octet)
msNPAllowDialin	Use RAS MPR API to read and update values.
msNPCallingStation	Use RAS MPR API to read and update values.
msNPSavedCallingStationID	Use RAS MPR API to read and update values.
msRADIUSCallbackNumber	Use RAS MPR API to read and update values.
msRADIUSFramedIPAddress	Use RAS MPR API to read and update values.
msRADIUSFramedRoute	Use RAS MPR API to read and update values.
msRADIUSServiceType	Use RAS MPR API to read and update values.
msRASSavedCallbackNumber	Use RAS MPR API to read and update values.
msRASSavedFramedIPAddress	Use RAS MPR API to read and update values.
msRASSavedFramedRoute	Use RAS MPR API to read and update values.
netbootSCPBL	System usage
nonSecurityMemberBL	System usage
ntPwdHistory	System usage
objectGUID	String(Octet). The GUID is stored in the Identity Manager user object in the ResourceInfo for the account.
objectSid	String(Sid)
otherWellKnownObjects	Object(DN-Binary)
partialAttributeDeletionList	System usage
partialAttributeSet	System usage
possibleInferiors	System usage
proxiedObjectName	Object(DN-Binary)
queryPolicyBL	System usage
registeredAddress	String(Octet)
replPropertyMetaData	System usage
replUpToDateVector	System usage
repsFrom	System usage
repsTo	System usage
sDRightsEffective	Operational attribute
securityIdentifier	String(Sid)
serverReferenceBL	System usage
sIDHistory	String(Sid)
siteObjectBL	System usage
subRefs	System usage
subSchemaSubEntry	System usage
supplementalCredentials	System usage
systemFlags	System usage
telexNumber	String(Octet)
teletexTerminalIdentifier	String(Octet)
terminalServer	String(Octet)
thumbnailPhoto	String(Octet)
thumbnailLogo	String(Octet)
tokenGroups	String(Sid) / Operational attribute
tokenGroupsGlobalAndUniversal	String(Sid)
tokenGroupsNoGCAcceptable	String(Sid) / Operational attribute
unicodePwd	String(Octet). Use userPassword to set the user’s password.
userCert	String(Octet)
userCertificate	String(Octet)
userSMIMECertificate	String(Octet)
wellKnownObjects	Object(DN-String)
x500uniqueIdentifier	String(Octet)

Resource Object Management

Identity Manager supports the following Active Directory objects:

Resource Object	Supported Features	Attributes Managed
Group	Create, update, delete	cn, samAccountName, description, managedby, member, mail, groupType, authOrig, name
DNS Domain	Find	dc
Organizational Unit	Create, delete, find	ou
Container	Create, delete, find	cn, description

The attributes that can be managed on resource objects are also generally dictated by the attribute syntaxes. The attributes for these object types are similar as those for user accounts and are supported accordingly.

Identity Template

Windows Active Directory is a hierarchically based resource. The identity template will provide the default location in the directory tree where the user will be created. The default identity template is

CN=$fullname$,CN=Users,DC=mydomain,DC=com

The default template must be replaced with a valid value.

Sample Forms

This section lists the sample forms provided for the Active Directory resource adapter.

Built-In

ActiveDirectory ActiveSync Form
Windows Active Directory Create Container Form
Windows Active Directory Create Group Form
Windows Active Directory Create Organizational Unit Form
Windows Active Directory Create Person Form
Windows Active Directory Create User Form
Windows Active Directory Update Container Form
Windows Active Directory Update Group Form
Windows Active Directory Update Organizational Unit Form
Windows Active Directory Update Person Form
Windows Active Directory Update User Form

Also Available

ADUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.ADSIResourceAdapter

In addition, tracing can be enabled on the Gateway service via the Identity Manager debug pages. (InstallDir\idm\debug\Gateway.jsp). This page allows you to specify the level of trace, location of the trace file, and the maximum size of the trace file. This page also allows you to remotely retrieve the gateway trace file and display the version information for the Gateway.

The Gateway service may also be started from the console with debug tracing via various command line switches. Use -h to review the usage for the Gateway service.

Previous      Contents      Next

---

Copyright 2006 Sun Microsystems, Inc. All rights reserved.