Go to main content
|
|
The procedure to deploy the connector is divided across three stages namely preinstallation, installation, postinstallation. upgrading the Microsoft Active Directory User Management Connector, and cloning the Microsoft Active Directory User Management Connector.
The following topics discuss these stages:
Upgrading the Microsoft Active Directory User Management Connector
About Cloning the Microsoft Active Directory User Management Connector
Note:
Some of the procedures described in this chapter are meant to be performed on the target system. The minimum permissions required to perform these procedures depends on the target system that you are using:
If the target system is Microsoft Active Directory, then the permissions required are those assigned to members of the Domain Admins group.
If the target system is Microsoft AD LDS, then the permissions required are those assigned to members of the Administrators group.
Preinstallation for the Microsoft Active Directory User Management connector involves registering a client application for the connector with the target system. It also involves generating the Client ID and Client Secret values for authenticating to the target system and setting the permissions for the client application.
The preinstallation stage for deploying the AD User Management connector involves performing the following procedures:
Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in Configuring the IT Resource for Microsoft AD and AD LDS.
Depending on the target system that you are using, perform the procedure described in one of the following sections:
You can use a Microsoft Windows 2008 Server (Domain Controller) administrator account for connector operations. Alternatively, you can create a user account and assign the minimum required rights to the user account.
To create the Microsoft Active Directory user account for connector operations:
See Also:
Microsoft Active Directory documentation for detailed information about performing this procedure
You must create and use a user account that belongs to the Administrators group for performing connector operations.
To create the Microsoft AD LDS user account for connector operations:
See Also:
Microsoft AD LDS documentation for detailed information about these steps
In order to enable the user account that you created for performing connector operations to retrieve information about deleted user accounts during delete reconciliation runs, you must assign permissions to the deleted objects container (CN=DeletedObjects) in the target system.
Note:
In a forest environment, if you are performing reconciliation by using the Global Catalog Server, then perform the procedure described in this section on all child domains.
By default, user accounts that belong to the Account Operators group can manage only user and group objects. To manage organizational units or custom object classes, you must assign the necessary permissions to a user account. In other words, you must delegate complete control for an organizational unit or custom object class to a user or group object. In addition, you need these permissions to successfully perform provisioning of custom object classes.
This is achieved by using the Delegation of Control Wizard. An example for managing organizational units is creating organizational units.
See the Microsoft documentation for detailed instructions to delegate control for an organizational unit or custom object class to a user account.
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
You deploy the Active Directory User Management connector remotely in the connector server. A connector server is a Microsoft Windows application that enables remote execution of an Identity Connector.
Connector servers are available in two implementations:
As a .Net implementation that is used by Identity Connectors implemented in .Net
As a Java Connector Server implementation that is used by Java-based Identity Connectors
The Active Directory User Management connector is implemented in .Net, so you must deploy this connector to a .Net framework-based connector server.
For detailed instructions about installing, configuring, and upgrading the Microsoft . Net Connector Server, see Using the Microsoft .NET Framework Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Logging for the Active Directory User Management connector is enabled and managed on the computer hosting the Connector Server. The following sections contain detailed information:
The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Logging for the Active Directory User Management connector is not integrated with Oracle Identity Manager. The log level is set in the .NET Connector Server configuration file (ConnectorServer.exe.config).
To enable logging for the Active Directory User Management connector, perform the following procedure:
Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.
To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.
To configure rotation of a log file on a daily basis:
See Also:
The following URL for more information about configuring log file rotation:
http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.logging.filelogtracelistener.aspx
You must install the Active Directory User Management connector in Oracle Identity Manager and if required, place the connector code bundle in the Connector Server.
The following topics discuss installing the Active Directory User Management connector:
Installation on Oracle Identity Manager consists of the following procedures:
Note:
For information about configuring the .NET Connector Server, see Configuring the .NET Connector Server.Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Administrative and User Console.
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
For Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
From the Connector List list, select ActiveDirectory RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select ActiveDirectory RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed, in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector
The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled jobs
The procedure to configure these scheduled jobs is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2–1.
Note:
If you have configured your target system as a trusted source, then create an IT resource of type Active Directory. For example, Active Directory Trusted. The parameters of this IT resource are the same as the parameters of the IT resources described in Configuring the IT Resource for Microsoft AD and AD LDS of this section. See Creating IT Resources in Administering Oracle Identity Manager for more information about creating an IT resource.
The IT resource for the target system is created during connector installation. This IT resource contains connection information about the target system. Oracle Identity Manager uses this information during reconciliation and provisioning.
You must specify values for the parameters of the Active Directory IT resource as follows:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console
For Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later, then in the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter Active Directory
and then click Search. Figure 2-1 shows the Manage IT Resource page.
Click the edit icon corresponding to the Active Directory IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the Active Directory IT resource. Figure 2-2 shows the Edit IT Resource Details and Parameters page.
Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource
The following list describes each parameter of the Active Directory IT resource
ADLDSPort
Enter the number of the port at which Microsoft AD LDS is listening.
Sample value: 50001
Note:
Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.BDCHostNames
Enter the host name of the backup domain controller to which Oracle Identity Manager must switch to if the primary domain controller becomes unavailable.
Sample value: mydc1;mydc2;mydc3
Note:
Multiple backup domain controllers must be separated by semicolon (;).Configuration Lookup
This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning.
If you have configured your target system as a target resource, then enter Lookup.Configuration.ActiveDirectory.
If you have configured your target system as a trusted source, then enter Lookup.Configuration.ActiveDirectory.Trusted.
Default value: Lookup.Configuration.ActiveDirectory
Connector Server Name
Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server.
Note:
Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server.Default value: Active Directory Connector Server
Container
Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Manager, respectively.
Sample value: DC=example,DC=com
DirectoryAdminName
Enter the user name of account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.
Enter the value for this parameter in the following format:
DOMAIN_NAME
\
USER_NAME
Sample value: mydomain\admin
Note:
If you are using AD LDS as the target system and this machine belongs to a workgroup, enter the username of the account created in Creating a Target System User Account for Connector Operations.Enter a value for this parameter in the following format:
USER_NAME
Sample value: admin
DirectoryAdminPassword
Enter the password of the user account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.
DomainName
Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed.
Sample value: example.com
Note:
This is a mandatory parameter if you are using Microsoft Active Directory as the target system.isADLDS
Enter yes
to specify that the target system is Microsoft AD LDS.
Enter no
to specify that the target system is Microsoft Active Directory.
LDAPHostName
Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed.
Note:
If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller.To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.
Sample values:
w2khost
172.20.55.120
example.com
SyncDomainController
Enter the name of the domain controller from which user accounts must be reconciled.
Note:
The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set tono.
If no value is specified for the SyncDomainController parameter and the SearchChildDomains lookup entry is set to no,
then the connector automatically finds a domain controller for the target system and reconciles users from it.Sample value: mynewdc
SyncGlobalCatalogServer
Enter the host on which the global catalog server is located.
Note:
The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set toyes.
If no value is specified for the SyncGlobalCatalogServer parameter and the SearchChildDomains lookup entry is set to yes,
then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running.It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains lookup entry to yes.
Sample value: myglobalcatalogdc
UseSSL
Enter yes
if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter no.
Default value: no
Note:
For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to no,
it is possible to reset user passwords during provisioning operations because the default communication is secure. See Configuring SSL for Microsoft Active Directory and Microsoft AD LDS for information about configuring SSL.
The default communication between the .NET Connector Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to yes
to secure communication with Microsoft AD LDS. See Configuring SSL Between Connector Server and Microsoft AD LDS for more information about configuring SSL.
To save the values, click Update.
Installation in the Connector Server consists of the following procedures:
To copy and extract the connector bundle to the Connector Server:
Note:
A predefined IT resource for the Connector Server by the name Active Directory Connector Server is available after connector installation. The parameters of the predefined IT resource is the same as the parameters described in Table 2-1.
In addition to configuring the Active Directory IT resource, you must configure the IT resource for the Connector Server as follows:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console
For Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later, then in the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter Active Directory Connector Server
and then click Search.
Click the edit icon corresponding to the Active Directory Connector Server IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the Active Directory Connector Server IT resource, as described in Table 2-1.
Table 2-1 Parameters of the Active Directory Connector Server IT Resource
Parameter | Description |
---|---|
Host |
Enter the host name or IP address of the computer hosting the connector server. Sample value: |
Key |
Enter the key for the connector server. |
Port |
Enter the number of the port at which the connector server is listening. Default value: |
Timeout |
Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: A value of 0 means that the connection never times out. |
UseSSL |
Enter Default value: Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Manager and Connector Server, see Configuring SSL Between Oracle Identity Manager and Connector Server. |
Click Update to save the values.
Postinstallation steps are detailed across the following sections:
Clearing Content Related to Connector Resource Bundles from the Server Cache
Configuring the Connector for the Microsoft AD LDS Target System
Configuring Oracle Identity Manager for Request-Based Provisioning
Enabling or Disabling Password Policies in Microsoft Active Directory
Configuring SSL for Microsoft Active Directory and Microsoft AD LDS
If you are using Oracle Identity Manager release 11.1.2 or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
Create and activate a sandbox as follows. For detailed instructions, see Managing Sandboxes in Administering Oracle Identity Manager.
Create a new UI form as follows. For detailed instructions, see Managing Forms in Administering Oracle Identity Manager.
Create an application instance as follows. For detailed instructions, see Managing Application Instances in Administering Oracle Identity Manager.
To harvest entitlements and sync catalog:
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.
To localize field label that you add to in UI forms:
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open one of the following files in a text editor:
For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file in the following manner:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. This procedure shows a sample edit for Microsoft Active Directory application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.<Field_Name>__c_description']}"> <source><Field_Label></source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.<UI_Form_NaME>EO.<Field_Name>__c_LABEL"> <source><Field_Label></source> <target/> </trans-unit>
The sample edit of the code is as follows:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}"> <source>Full Name</source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL"> <source>Full Name</source> <target/> </trans-unit>
Open the resource file from the connector package, for example ActiveDirectoryIdC_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_ADUSER_FULLNAME=\u6C0F\u540D.
Replace the original code shown in Step 6.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}"> <source>< Field_Label></source> <target>global.udf.<UD_<Field_Name></target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL"> <source><Field_Label></source> <target><global.udf.UD_Field_Name></target> </trans-unit>
As an example, the code for Full Name is as follows:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}"> <source>Full Name</source> <target>\u6C0F\u540D</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL"> <source>Full Name</source> <target>\u6C0F\u540D</target> </trans-unit>
Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_ja.xlf.
Repackage the ZIP file and import it into MDS.
See Also:
The Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Manager for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
Connection pooling allows reuse of physical connections and reduced overhead for your application. This procedure of setting up the lookup definition for connector pooling can be divided into the following sections:
By default, this connector uses the ICF connection pooling. Table 2-2 lists the connection pooling properties, their description, and default values set in ICF:
Table 2-2 Connection Pooling Properties
Property | Description |
---|---|
Pool Max Idle |
Maximum number of idle objects in a pool. Default value: |
Pool Max Size |
Maximum number of connections that the pool can create. Default value: |
Pool Max Wait |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: |
Pool Min Evict Idle Time |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: |
Pool Min Idle |
Minimum number of idle objects in a pool. Default value: |
This section discusses the following topics:
You can add the 'Ignore Event Disabled' entry to the Configuration lookup definition (Lookup.Configuration.ActiveDirectory.Trusted and Lookup.Configuration.ActiveDirectory for trusted source and target resource modes, respectively) to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager.
If you set the value of the Ignore Event Disabled entry to true,
then reconciliation events are created for all records being fetched from the target system, irrespective of their presence in Oracle Identity Manager. If you set the value of this entry to false,
then reconciliation events for target system records that are already present in Oracle Identity Manager are not created.
Note:
Perform the procedure described in this section only if you are using AD LDS as the target system.
Before you start using the connector with the AD LDS target system, you must perform the following procedure:
Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Modify the Lookup.ActiveDirectory.UM.Configuration lookup definition as follows:
Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.
Change the Lookup.ActiveDirectory.UM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ProvAttrMap.
Change the Lookup.ActiveDirectory.UM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.
Modify the Lookup.ActiveDirectory.GM.Configuration lookup definition as follows:
Search for and open the Lookup.ActiveDirectory.GM.Configuration lookup definition.
Change the Lookup.ActiveDirectory.GM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ProvAttrMap.
Change the Lookup.ActiveDirectory.GM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ReconAttrMap.
Modify the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition as follows:
Search for and open the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition.
Change the Lookup.ActiveDirectory.UM.Configuration.Trusted Decode value to Lookup.ActiveDirectoryLDS.UM.Configuration.Trusted.
If you have configured the target system as a target resource, then from the Lookup.ActiveDirectory.UM.ProvAttrMap and Lookup.ActiveDirectory.UM.ReconAttrMap lookup definitions, remove entries specific to terminal services fields. For example, the Terminal Home Directory and Terminal Profile Path entries.
Click the Save icon.
Remove the process form fields and process tasks that are specific to terminal services fields.
Note:
Perform the procedures described in this section only if you are using Oracle Identity Manager release 11.1.1.x.
In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following sections provide more information about configuring request-based provisioning:
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Note:
Direct provisioning allows the provisioning of multiple Microsoft Active Directory accounts on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.
Request-based provisioning is performed by using a request dataset. A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the list of predefined request datasets available in the dataset directory on the installation media:
For Microsoft Active Directory:
ProvisionResourceADUser.xml
ModifyResourceADUser.xml
For Microsoft AD LDS:
ProvisionResourceADLDSUser.xml
ModifyResourceADLDSUser.xml
Copy the predefined request dataset files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:
/custom/connector/RESOURCE_NAME
For example:
E:\MyDatasets\custom\connector\AD
Note:
Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.
The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets.
There are two ways of importing request datasets:
Note:
Request Datasets imported either into MDS or by using Deployment Manager are same.
All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into MDS:
The request datasets (predefined or generated) can also be imported by using the Deployment Manager (DM). The predefined request datasets are stored in the xml directory on the installation media.
To import a request dataset definition by using the Deployment Manager:
To enable the Auto Save Form feature:
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for instructions.
The procedure to configure request-based provisioning ends with this step.
Perform the procedure described in this section if you intend to provision organizations to a root DN.
Before you provision organizations to a root DN, you must add the DN to the Lookup.ActiveDirectory.OrganizationalUnits lookup definition as follows:
In Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies.
The procedure that you must perform depends on whether or not you want to achieve either or both of the following objectives:
Enable password policies
Configure SSL between Oracle Identity Manager and the target system
Note:
The procedure to configure SSL is discussed later in this guide.
If you configure SSL and you want to enable both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.
See the Microsoft documentation for detailed instructions to enable or disable the "Passwords must meet complexity requirements" policy setting.
Note:
If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.
This section discusses the following topics to configure SSL communication between Oracle Identity Manager and the target system:
Note:
In this section, Microsoft ADAM and Microsoft AD LDS have both been referred to as Microsoft AD LDS. Therefore, if you are using Microsoft Windows Server 2003 as the target system, then you must consider the term Microsoft AD LDS as Microsoft ADAM while performing the instructions described in this section. Wherever needed, instructions specific to both Microsoft ADAM and Microsoft AD LDS have been called out separately.
If you are using Microsoft AD LDS, then you must configure SSL for all connector operations to work as expected.
For detailed instructions of the procedures, see the Microsoft documentation.
Public key certificates are used for determining the identity and authenticity of clients in software security systems. Certificate Services create and manage public key certificates. This ensures that organizations have a reliable and secure way to create, manage, and distribute these certificates.
Note:
Before you begin installing Active Directory Certificate Services (AD CS), you must ensure that Internet Information Services (IIS) is installed on the computer hosting the target system.
For detailed steps to install Certificate Services on the corresponding Windows Server, refer to the Microsoft documentation.
If you are installing Certificate Services on Windows Server 2003, ensure that Active Directory or ADAM is installed on the host computer.
If you are installing Certificate Services on Windows Server 2008, ensure to add the following features using the Server Manager console on the computer which is running the Connector Server:
Remote Server Administration Tools
Role Administration Tools
Active Directory Certificate Services Tools
AD DS and AD LDS Tools
You can configure SSL between Connector Server and Microsoft Active Directory by ensuring that the computer hosting Microsoft Active Directory has LDAP enabled over SSL (LDAPS).
Note:
To configure SSL, the computer hosting the target system and the computer on which the Connector Server is running must be in the same domain.To enable LDAPS, request a new certificate using the Automatic Certificate Request Setup Wizard.
To configure SSL between Connector Server and Microsoft AD LDS, ensure that ADAM is SSL-enabled.
Note:
This procedure can be performed either on the computer on which the Connector Server is running or on the computer hosting the target system.
Before you begin generating the certificate, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
Issue the certificate that you requested earlier when Microsoft AD LDS was deployed within the connector domain in the Microsoft Active Directory Certificate Services window.
In the Microsoft Management Console, add the certificate to the personal store of the Microsoft AD LDS service.
Administrators
Everyone
NETWORK SERVICE
The user name of the account used to install Microsoft ADAM
SYSTEM
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Assign the same groups and users to the certificate.
Restart the Microsoft AD LDS instance for the changes to take effect.
Test the certificate from the AD LDS Tools Command Prompt window. If SSL is successfully configured, then status messages about the connection are displayed on the LDAPS window.
The following sections provide information about configuring SSL between Oracle Identity manager and Connector Server:
Note:
Perform this procedure on the computer hosting the connector server.
To export the certificate requested and issued from the Microsoft Management console, navigate to and open the Certificate Export Wizard. Ensure to export the certificate in the Base-64 encoded X.509(.CER) file format.
Note:
Perform this procedure on the computer hosting the connector server.
Connector Server 12c (12.2.1.3.0) can be used with older versions of connectors.
See Configuring the .NET Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed instructions to configure the Connector Server for SSL.
If you have already deployed an earlier release of this connector, then upgrade the connector to the current release.
The following sections discuss the procedure to upgrade the connector:
Note:
Upgrade of the connector from release 9.1.x to 11.1.1.x. is supported.
Before you perform the upgrade procedure, it is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
As a best practice, first perform the upgrade procedure in a test environment.
You must perform the following preupgrade steps to prepare your environment for upgrading the connector:
Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.
Perform the preupgrade procedure documented in Managing Connector Lifecycle of Administering Oracle Identity Manager.
On the target system, obtain the maximum value of the uSNChanged attribute as follows:
If you are using the connector across multiple domains, then on the domain controller on which the Global Catalog Server is running, navigate to RootDSE, and then look for the RootDSE properties.
If you are using the connector in a single domain, then on the domain controller used for reconciliation, navigate to RootDSE, and then look for the RootDSE properties.
In the RootDSE properties dialog box, search for the highestCommittedUSN attribute, and note down its value. The use of this value is described later in this chapter. Figure 2-3shows the RootDSE properties dialog box in which the highestCommittedUSN attribute is displayed.
Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector. See Managing Connector Lifecycle of Administering Oracle Identity Manager for more information.
Depending on the environment in which you are upgrading the connector, perform one of the following steps:
Development Environment
Perform the upgrade procedure by using the wizard mode.
Staging or Production Environment
Perform the upgrade procedure by using the silent mode. In the silent mode, use the silent.xml file that is exported from the development environment.
See Managing Connector Lifecycle of Administering Oracle Identity Manager for detailed information about the wizard and silent modes.
Postupgrade steps involve uploading new connector jars, configuring the upgraded IT resource of the source connector, deploying the Connector Server, and configuring the latest token value of the scheduled job.
The following sections describe the procedures that you must perform after the upgrade operation:
Postupgrade steps involve performing the following procedure to conclude the upgrade operation:
Perform the postupgrade procedure documented in Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager.
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
Log in to Oracle Identity System Administration.
Create and activate a sandbox. See Creating and Activating a Sandbox for more information.
Create a new UI form to view the upgraded fields. See Creating a New UI Form for more information about creating a UI form.
Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 2.c), and then save the application instance.
Publish the sandbox. See Publishing a Sandbox for more information.
If you are using Oracle Identity Manager release 11.1.2.x or later and you are upgrading from release 11.1.1.5.0 to 11.1.1.6.0, then perform the following procedure to remove the auxiliary class child form (from the AD User form) that is retained after upgrade:
Create a new version of the upgraded AD User form.
Delete the UD_ADUSRCLS child form, and make the version active.
Run the FVC utility using this newly created form. See Step 4 for detailed information on running FVC utility.
Run the Form Version Control (FVC) utility to manage user data changes on a form after an upgrade operation. To do so:
In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:
ResourceObject;AD User FormName;UD_ADUSER FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE ParentParent;UD_ADUSER_AD;UD_ADUSER_SERVER
Note:
To determine values for the FromVersion and ToVersion attributes, see Determining Values For the FromVersion and ToVersion Attributes.
To verify whether you are specifying the correct process form associated with the resource object, perform the procedure described in Verifying If the Correct Process Form is Associated With the Resource Object.
Run the FVC utility. This utility is copied into the following directory when you install the design console:
For Microsoft Windows:
OIM_DC_HOME/fvcutil.bat
For UNIX:
OIM_DC_HOME/fvcutil.sh
When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.
See Also:
Using the Form Version Control Utility of Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the FVC utility
To manage AD Group form changes after an upgrade operation, run the FVC utility by performing the instructions in step 4.a and 4.b with the following difference:
While perform Step 4.a, replace the entry added in Step 4.a with the following:
ResourceObject;AD Group FormName;UD_ADGRP FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE ParentParent;UD_ADGRP_ADSERVER;UD_ADGRP_SERVER
To manage AD Organization Unit form changes after an upgrade operation, run the FVC utility by performing the instructions in step 4.a and 4.b with the following difference:
While perform Step 4.a, replace the entry added in Step 4.a with the following:
ResourceObject;AD Organizational Unit FormName;UD_OU FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE ParentParent;UD_OU_AD;UD_OU_SERVER
If you are upgrading the connector from release 11.1.1.5.0 to 11.1.1.6.0, then run the PostUpgradeScript.sql script as follows:
Note:
Skip performing this step if you upgrading the connector directly from release 9.1.x to 11.1.1.6.0.
If you first performed an upgrade from release 9.1.x to 11.1.1.5.0, and then are upgrading from release 11.1.1.5.0 to 11.1.1.6.0, then in the PostUpgradeScript.sql file, replace "ADOU" with "OU", and then run the script.
Connect to the Oracle Identity Manager database by using the OIM User credentials.
Run the PostUpgradeScript.sql located in the ConnectorDefaultDir/AD_PACKAGE/upgrade directory.
Deploy the Connector Server.
Re-configure the IT resource of the source connector (an earlier release of the connector that must be upgraded).
Configure the latest token value of the scheduled job as follows:
The following scheduled jobs contain the Latest Token attribute:
Active Directory User Target Recon
Active Directory User Trusted Recon
Active Directory Group Recon
Active Directory Organization Recon
After upgrading the connector, you can perform either full reconciliation or incremental reconciliation. To perform incremental reconciliation, specify the value of the highestCommittedUSN attribute (noted in Preupgrade Steps) as the value of the Latest Token attribute. This ensures that records created or modified since the last reconciliation run (the one that you performed in Preupgrade Steps) are fetched into Oracle Identity Manager. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.
See Full Reconciliation and Incremental Reconciliation for more information about performing full or incremental reconciliation.
Configure the sync token value of the scheduled job as follows:
The following scheduled jobs contain the Sync Token attribute:
Active Directory User Target Delete Recon
Active Directory User Trusted Delete Recon
Active Directory Group Delete Recon
After upgrading the connector, you can perform either full delete reconciliation or incremental delete reconciliation. To perform full delete reconciliation, you must not specify any value for the Sync Token attribute of the scheduled job. To perform incremental delete reconciliation, you must specify the value of the Sync Token attribute in the following format:
<String>0|{uSNChanged}|{True/False}|{
DOMAIN_CONTROLLER
}</String>
In this format, replace:
{uSNChanged}
with the value of the highestCommittedUSN attribute noted in Preupgrade Steps.
{True/False}
with one of the following values:
True
if the Global Catalog Server is used during delete reconciliation runs
False
if the Global Catalog Server is not used during delete reconciliation runs
{
DOMAIN_CONTROLLER
}
with the name of the domain controller on which you located RootDSE while performing the procedure described in Preupgrade Steps.
To determine values for the FromVersion and ToVersion attributes:
initial version.
This is the value of the ToVersion attribute.In the fvc.properties file, you might want to specify the process form name too. To verify whether you are specifying the correct process form associated with the resource object:
You can clone the Microsoft Active Directory User Management connector by setting new names for some of the objects that comprise the connector.
The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.
See Also:
Managing Connector Lifecycle of Administering Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section
After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:
IT Resource
The cloned connector has its own set of IT resources. You must configure both the cloned IT resources, Active Directory and Connector Server, and provide the reference of the cloned Connector Server IT Resource in the cloned Active Directory IT resource. Ensure you use the configuration lookup definition of the cloned connector.
Scheduled Task
The values of the Resource Object Name and IT Resource scheduled task attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled task attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.
Lookup Definition
Verify the lookup entries in all lookup definitions to ensure that there are no references of old process forms. If there are any, then change it to the corresponding new form.
For example, after cloning, the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition contains a reference to a child table such as UD_ADUSRC~Group Name[LOOKUP]. You must change this to include the new value, for example, UD_ADUSRC2~Group Name[LOOKUP].
Process Tasks
After cloning, you notice that all event handlers attached to the process tasks are the cloned ones. Therefore, no changes are required for process tasks in parent forms. This is because the adapter mappings for all process tasks related to parent forms are updated with cloned artifacts.
However, the mapping of the childTableName adapter variable must be updated for all process tasks that are associated with the cloned AD IDC Child Table Update adapter. The following predefined process tasks are associated with the AD IDC Child Table Update adapter:
Group membership delete
Group membership Insert
Group membership update
Object classes delete
Object classes Insert
Object classes update
Localization Properties
You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.
For example, the process form attributes are referenced in the Japanese properties file, ActiveDirectoryIdC_ja.properties, as global.udf.UD_ADUSER_FULLNAME.
During cloning, if you change the process form name from UD_ADUSER
to UD_ADUSER1,
then you must update the process form attributes to global.udf.UD_ADUSER1_FULLNAME.