10 Frequently Asked Questions
Use these Frequently Asked Questions (FAQs) as guidelines and to troubleshoot connector issues.
-
Where should I install the connector server for the Exchange connector?
Answer: Install the connector server on a computer that belongs to the same domain as that of the target Exchange server.
-
Can the 11.x Exchange connector co-exist with the 12c Exchange connector?
Answer: No. A connector once managed through CI-based installation, cannot be managed through AOB.
-
Is it mandatory to install the Active Directory connector 12c before installing Exchange connector 12c?
Answer: Yes.
-
If I use Oracle Internet Directory (OID) 11.x connector to manage Active Directory, can I use 11.x Exchange connector to manage mailboxes?
Answer: No, this is not supported.
-
Why cannot I see the log files corresponding to the connector operations in the computer hosting Oracle Identity Manager?
Answer: The Exchange connector uses the built-in logging mechanism of the .NET framework. Therefore, all connector logs are generated on the computer hosting the connector server. See Enabling Logging for more information.
-
All connector operations are performed by using the ICFINTG layer. What is the logger name used for enabling logging for ICFINTG?
Answer: The logger name used to enable logging for ICFINTG is ORACLE.IAM.CONNECTORS.ICFCOMMON. Note that the logger name is case-sensitive.
-
I performed target resource reconciliation using filters in the reconciliation job. Connector Server logs confirm that the connector was able to get the mailbox based on search criteria. However, reconciliation events are not getting generated. There is no error in the Connector Server logs and in the OIG server logs. What is wrong here?
Answer: When you perform filter-based search, the connector internally converts them to Exchange PowerShell cmdlets. The Exchange server returns data. Note that this search is not case-sensitive.The connector returns the same data to Oracle Identity Governance via ICF INTG. Even before data reaches ICF INTG, ICF (framework) applies a case-sensitive search against the result sent by the connector. It is possible that this user record might be dropped.
For example, suppose that in the scheduled task, there is a filter such as
equalTo('DisplayName','JOHN')and on the target Exchange server, there is a mailbox whose display name is John. The connector runs PowerShell cmdlet,Get-Mailbox -Filter {DisplayName -eq 'JOHN'},and gets the result. However, ICF applies a case-sensitive search for which the condition fails and reconciliation events are created. -
After extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory, I observed some DLLs. Does it matter whether the computer hosting the connector server is 32-bit or 64-bit?
Answer: No, you can use the same DLLs on both 32-bit and 64-bit computers.
-
Can a single connector server be used to deploy the Active Directory User Management connector bundle and the Exchange connector bundle?
Answer: Yes, a single connector server can host both the Active Directory User Management and the Exchange connector bundles.
While deploying the Exchange connector, ensure not to replace the existing ActiveDirectory.Connector.dll file on the connector server.
-
I see that the values for the Container, Directory AdminName, Directory Admin Password, and Domain Name parameters in the Advanced Settings section set to
UseDefault. What is the significance of these parameters and can I provide any value to it?Answer: These properties are internally used by the connector. Do not modify or remove them from this Advanced Settings section.
-
Explain what cmdlets the connector runs during create, update, delete, disable and enable operations in Oracle Identity Governance (OIG).
Answer:
-
During a create operation, the connector enables a mailbox for an already existing AD user. It first runs Enable-Mailbox/Enable-MailUser cmdlet with required attributes and then runs the Set-Mailbox/Set-MailUser cmdlet to update rest of the attributes.
-
During an update operation, it updates the Mailbox/MailUser attribute using the Set-Mailbox cmdlet.
-
During a delete operation, connector just removes the mailbox and does NOT delete the AD user. It runs the Disable-Mailbox/Disable-MailUser cmdlet.
-
During a disable operation, connector just sets MaxReceiveSize and MaxSendSize to 0 KB.
-
During an enable operation, connector gets the correct value of MaxReceiveSize and MaxSendSize on process form and then sets them in the target system.
-
-
The Distribution Group Lookup Reconciliation and Target Resource User Reconciliation jobs obtain distribution groups of type MailUniversalDistributionGroup. Our target system has security groups that are mail-enabled. Why are they not reconciled by the Exchange connector? We would like to manage them as well.
Answer: The Exchange connector manages distribution groups that can only be used with e-mail applications (such as Exchange) to send e-mails to collections of users. To manage security groups (mail-enabled or otherwise), use the Active Directory connector.
-
I have configured my action script to run after the Create, Update, and Delete operations as per steps mentioned in Configuring Action Scripts. However, the script does not run. I want to debug and check what is happening. Where do I add my debug statements?
Answer: The sample script in the above section has the following line:
#Just to check if proper command is created, dump it to a file. $Command >> "c:\command.txt"
This line shows how to dump the command being created to a temporary file. You can use this file to add all your debug statements. You can echo all the things you need to this file.
If the commands that were dumped to this file were correct and yet, you are not getting the desired result when running the script from Oracle Identity Governance, then open a PowerShell window and run the same commands manually to verify if there is any issue.
Note that Oracle Identity Governance does not return any exceptions or runtime errors that occur when the script is running.