3 Configuring the Microsoft Active Directory User Management Connector

While creating an application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to Microsoft Active Directory or Microsoft AD LDS. These parameters are common for both target applications and authoritative applications.

Table 3-1 Parameters in the Basic Configuration Section for the Microsoft Active Directory User Management Connector

Parameter Mandatory? Description

Connector Server Name

Yes

If you are using this connector with a .NET Connector Server, then enter the name of Connector Server IT resource.

Default value: Active Directory Connector Server

Domain Name

Yes

Enter the domain name for the Microsoft Active Directory domain controller in which you are creating an application by using the connector.

Sample value: example.com

Note: This is a mandatory parameter if you are using Microsoft Active Directory as the target system.

Admin User Name

Yes

Enter the user name of account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.

Enter the value for this parameter in the following format:

DOMAIN_NAME\USER_NAME

Sample value: mydomain\admin

Note: If you are using AD LDS as the target system and this machine belongs to a workgroup, then enter a value for this parameter.

Enter a value for this parameter in the following format:

USER_NAME

Sample value: admin

Admin Password

Yes

Enter the password of the user account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.

Container

Yes

Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Governance, respectively.

Sample value: DC=example,DC=com

LDAP Host Name

Yes

Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed.

Note: If you do not specify a value for this parameter and the Backup Host Names parameter (discussed later in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller.

To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

Sample values:

w2khost

172.20.55.120

example.com

Domain Controller

No

Enter the name of the domain controller from which user accounts must be reconciled.

Note: The value specified in this parameter is used if the value of the Search Child Domains parameter of Advanced Settings is set to no. If you specify no value for the Domain Controller parameter and the value of the Search Child Domains parameter is set to no, then the connector automatically finds a domain controller for the target system and reconciles users from it.

Sample value: mynewdc

Port

No

Enter the number of the port at which Microsoft AD LDS is listening.

Sample value: 50001

Note: Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.

UseSSL

No

Enter yes if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter no.

Default value: no

Note:
  • For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to no, it is possible to reset user passwords during provisioning operations because the default communication is secure. For more information about configuring SSL, see Configuring SSL for Microsoft Active Directory and Microsoft AD LDS .

  • The default communication between the .NET Connector Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to yes to secure communication with Microsoft AD LDS. For more information about configuring SSL, see Configuring SSL Between Connector Server and Microsoft AD LDS .

Backup Host Names

No

Enter the host name of the backup domain controller to which Oracle Identity Governance must switch to if the primary domain controller becomes unavailable.

Sample value: mydc1;mydc2;mydc3

Note: Multiple backup domain controllers must be separated by semicolon (;).

Is ADLDS?

No

Enter yes to specify that the target system is Microsoft AD LDS.

Enter no to specify that the target system is Microsoft Active Directory.

Default value: no

Global Catalog Server

No

Enter the host on which the global catalog server is located.

Note: The value specified in this parameter is used if you set the value of the Search Child Domains parameter to yes. If no value is specified for the Global Catalog Server parameter and the Search Child Domains parameter is set to yes, then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running.

It is strongly recommended to provide a value for this parameter if you have set the value of the Search Child Domains parameter to yes.

Sample value: myglobalcatalogdc

3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations. These parameters are common for both target applications and authoritative applications.

Table 3-2 Advanced Setting Parameters for Oracle Database

Parameter Mandatory? Description

Object Class

No

This parameter holds the name of the object class to which the connector assigns newly created users on the target system.

If you create a custom object class, then enter the name of that object class. For example, InetOrgPerson.

Default value: User

Lockout Threshold

No

Enter the number of unsuccessful login attempts after which a user's account must be locked.

Note: This entry is applicable only for the Microsoft AD LDS target system.

Default value: 5

Always Use Object GUID?

No

This parameter specifies whether the connector must use the GUID of an object for searching records during reconciliation.

Default value: yes

Note: Do not change the value of this entry.

Native Guid Convention

No

This parameter specifies whether GUID is stored in its native format. This entry is used by the connector internally.

Default value: true

Note: Do not change the value of this entry.

Page Size

No

Enter the page size of the records fetched by the connector in each call to the target system during a reconciliation run. Paging splits the entire result set of a query into smaller subsets called, appropriately enough, pages.

In general, it is recommended to set this value to the maximum page size for simple searches. By setting the page size to the maximum value, you can minimize the network roundtrips necessary to retrieve each page, which tends to be a more expensive operation for simple searches.

While it is possible to specify a PageSize greater than the MaxPageSize of the target system, the Active Directory server will ignore it and use the MaxPageSize instead. No exception will be generated in this case.

In some cases, you might need to specify a smaller page size to avoid timeouts or overtaxing the server. Some queries are especially expensive, so limiting the number of results in a single page can help avoid this.

Default value: 1000

Search Child Domains

No

This parameter determines the search scope of users, groups, or organizational units within the domain name specified as the value of the DomainName attribute.

Enter no if you want the connector to search for users, groups, or organizational units only from the specified domain. The domain name is specified as the value of the DomainName attribute. Note that the connector fetches records from the domain controller that is specified as the value of the Domain Controller parameter of Basic Configuration.

Enter yes if you want the connector to search for users, groups, or organizational units from the specified domain and its child domains. In this case, the global catalog server is used for fetching records. Note that you specify the global catalog server as the value of the Global Catalog Server parameter of Basic Configuration.

Default value: no

Connector Name

Yes

This parameter holds the name of the connector class.

Value: Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector

Bundle Name

Yes

This parameter holds the name of the connector bundle package.

Value: ActiveDirectory.Connector

Bundle Version

Yes

This parameter hods the version of the connector bundle class.

Value: 12.3.0.0

Recon Date Format

No

This parameter holds the format in which the last reconciliation run timing must be displayed.

Default value: yyyyMMddHHmmss.0Z

Maintain Hierarchy?

No

Enter yes to specify that you want to maintain in Oracle Identity Governance the same organization hierarchy that is maintained on the target system. Otherwise, enter no.

Default value: no

Use Delete Tree For Accounts

No

This parameter specifies whether the associated leaf nodes of an __ACCOUNT__ object to be deleted are to be removed along with the object. If the value of this entry is not set to true and the __ACCOUNT__ object to be deleted has leaf nodes, then the operation fails and an error message is displayed.

If the value of this entry is set to false, then the __ACCOUNT__ objects are removed from the child list of its parent only. Otherwise, regardless of the object class, the whole tree is removed recursively.

Default value: false

Create Home Directory

No

This parameter holds the information whether a home directory must be created.

Enter yes if you want the connector to create a home directory for user accounts. Otherwise, enter no.

Default value: yes

Pool Max Idle

No

Maximum number of idle objects in a pool.

Default value: 10

Pool Max Size

No

Maximum number of connections that the pool can create.

Default value: 10

Pool Max Wait

No

Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation.

Default value: 150000

Pool Min Evict Idle Time

No

Minimum time, in milliseconds, the connector must wait before evicting an idle object.

Default value: 120000

Pool Min Idle

No

Minimum number of idle objects in a pool.

Default value: 1

3.3 Attribute Mappings

The attribute mappings on the Schema page vary depending on whether you are creating a target application or an authoritative application.

3.3.1 Attribute Mappings for a Target Application

The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

AD User Account Attributes

Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and AD target system attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Note:

If you are using AD LDS as the target system, then you must perform the following on the default attribute mappings list of the Schema page:

  • Delete the rows containing the following Display Name attributes:

    • Redirection Mail Id

    • Terminal Allow Login

    • Terminal Home Directory

    • Terminal Profile Path

  • Update the “User Id” Display Name row with the following values:

    • In the Target Attribute column, replace sAMAccountName with __UPN_WO_DOMAIN__.

    • Deselect the Provision Field checkbox.

    • Select the Recon Field checkbox.

Table 3-3 Default Attribute Mappings for an AD User Account

Display Name Target Attribute Data Type Mandatory Provisioning Property? Provision Field? Recon Field? Key Field? Case Insensitive?

User Id

sAMAccountName

String

No

Yes

Yes

No

Not applicable

User Principal Name

userPrincipalName

String

No

Yes

Yes

No

Not applicable

First Name

givenName

String

No

Yes

Yes

No

Not applicable

Middle Name

middleName

String

No

Yes

Yes

No

Not applicable

Last Name

sn

String

No

Yes

Yes

No

Not applicable

Full Name

displayName

String

No

Yes

Yes

No

Not applicable

Password Never Expires

PasswordNeverExpires

Boolean

No

Yes

Yes

No

Not applicable

User Must Change Password At Next Logon

__PASSWORD_EXPIRED__

Boolean

No

Yes

Yes

No

Not applicable

Account is Locked out

__LOCK_OUT__

Boolean

No

Yes

Yes

No

Not applicable

Telephone Number

telephoneNumber

String

No

Yes

Yes

No

Not applicable

Account Expiration Date

__PASSWORD_EXPIRATION_DATE__

Date

No

Yes

Yes

No

Not applicable

E Mail

mail

String

No

Yes

Yes

No

Not applicable

Post Office Box

postOfficeBox

String

No

Yes

Yes

No

Not applicable

City

l

String

No

Yes

Yes

No

Not applicable

State

st

String

No

Yes

Yes

No

Not applicable

Zip

postalCode

String

No

Yes

Yes

No

Not applicable

Home Phone

homePhone

String

No

Yes

Yes

No

Not applicable

Mobile

mobile

String

No

Yes

Yes

No

Not applicable

Pager

pager

String

No

Yes

Yes

No

Not applicable

Fax

facsimileTelephoneNumber

String

No

Yes

Yes

No

Not applicable

Title

title

String

No

Yes

Yes

No

Not applicable

Department

department

String

No

Yes

Yes

No

Not applicable

Company

company

String

No

Yes

Yes

No

Not applicable

Manager Name

manager

String

No

Yes

Yes

No

Not applicable

Office

physicalDeliveryOfficeName

String

No

Yes

Yes

No

Not applicable

Country

c

String

No

Yes

Yes

No

Not applicable

Street

streetAddress

String

No

Yes

Yes

No

Not applicable

Terminal Home Directory

TerminalServicesHomeDirectory

String

No

Yes

Yes

No

Not applicable

Terminal Allow Login

AllowLogon

Boolean

No

Yes

Yes

No

Not applicable

Terminal Profile Path

TerminalServicesProfilePath

String

No

Yes

Yes

No

Not applicable

Status

__ENABLE__

String

No

No

Yes

No

Not applicable

AD Server

Long

Yes

No

Yes

Yes

No

Unique Id

__UID__

String

No

No

Yes

Yes

No

Common Name

cn

String

Yes

No

Yes

No

Not applicable

Organization Name

ad_container

String

Yes

No

Yes

No

Not applicable

Password

__PASSWORD__

String

No

Yes

No

No

Not applicable

Password Not Required

PasswordNotRequired

Boolean

No

Yes

No

No

Not applicable

Homedirectory

homeDirectory

String

No

Yes

No

No

Not applicable

Redirection Mail Id

__MAILREDIRECTION__

String

No

Yes

No

No

Not applicable

User Full DN

__NAME__

String

No

Yes

No

No

Not applicable

Figure 3-1 shows the default User account attribute mappings for an AD Target application.

Figure 3-1 Default Attribute Mappings for an AD User Account

Description of Figure 3-1 follows
Description of "Figure 3-1 Default Attribute Mappings for an AD User Account"

Group Entitlement Attributes

Table 3-4 lists the groups-specific attribute mappings between the process form fields in Oracle Identity Governance and target system attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-4 Default Attribute Mappings for a Group Entitlement

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive?

Group Name

__GROUPS__

String

No

Yes

Yes

No

Figure 3-2 shows the default Group entitlement mapping.

Figure 3-2 Default Attribute Mappings for a Group Entitlement

Description of Figure 3-2 follows
Description of "Figure 3-2 Default Attribute Mappings for a Group Entitlement"

3.3.2 Attribute Mappings for an Authoritative Application

The Schema page for an authoritative application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation operations.

Table 3-5 lists the user-specific attribute mappings between the reconciliation fields in Oracle Identity Governance and AD target system attributes. The table also lists the data type for a given attribute and specified whether it is a mandatory attribute for reconciliation.

If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating an Authoritative Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

You may use the default schema that has been set for you or update and change it before continuing to the next step.

The Organization Name, Xellerate Type, and Role identity attributes are mandatory fields on the OIG User form that cannot be left blank during reconciliation. As there are no corresponding attributes in the target system for the Organization Name, Xellerate Type, and Role identity attributes, they have been mapped to attributes in Oracle identity Governance. In addition, the connector provides default values (as listed in the “Default Value for Identity Display Name” column of Table 3-5) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.

Note:

If you are using AD LDS as the target system, then you must perform the following on the default attribute mappings list of the Schema page:

  • Delete the row containing the Manager Login Display Name attribute.

  • In the “User Login” Display Name row, update the Target Attribute mapping by replacing sAMAccountName with __UPN_WO_DOMAIN__.

Table 3-5 AD User Account Schema Attributes for an Authoritative Application

Identity Display Name Target Attribute Data Type Mandatory Reconciliation Property? Recon Field? Default Value for Identity Display Name

Manager Login

Manager Id

String

No

Yes

NA

Status

__ENABLE__

String

No

Yes

NA

ObjectGUID

__UID__

String

No

Yes

NA

User Login

sAMAccountName

String

No

Yes

NA

First Name

givenName

String

No

Yes

NA

Last Name

sn

String

No

Yes

NA

Middle Name

middleName

String

No

Yes

NA

Xellerate Type

OIM User Type

String

No

Yes

End-User

Role

OIM Employee Type

String

No

Yes

Full-Time

Organization Name

__PARENTCN__

String

No

Yes

Xellerate Users

Email

mail

String

No

Yes

NA

Figure 3-3 shows the default AD User account attribute mappings for an AD authoritative application.

Figure 3-3 Default Attribute Mappings for an AD User Account in an Authoritative Application

Description of Figure 3-3 follows
Description of "Figure 3-3 Default Attribute Mappings for an AD User Account in an Authoritative Application"

3.4 Correlation Rules for the Connector

Learn about the predefined rules, responses and situations for Target and Authoritative applications. The connector use these rules and responses for performing reconciliation.

3.4.1 Correlation Rules for a Target Application

When you create a Target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the Active Directory User Management connector provides a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-6 lists the default simple correlation rule for an AD target system. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-6 Predefined Identity Correlation Rule for an AD Target Application

Target Attribute Element Operator Identity Attribute Case Sensitive?

__UID__

Equals

ObjectGUID

No

sAMAccountName

Equals

User Login

No

Note:

If you are using Microsoft AD LDS as the target system, then you must update the identity reconciliation rule by replacing sAMAccountName in the Target Attribute column with userPrincipalName.

The identity correlation rule for an AD target application is as follows:

(__UID__ Equals ObjectGUID) OR (sAMAccountName Equals User Login)

The identity correlation rule for an AD LDS target application is as follows:

(__UID__ Equals ObjectGUID) OR (userPrincipalName Equals User Login)

In the first identity rule component:
  • __UID__ is an attribute on the target system that uniquely identifies the user account.

  • ObjectGUID is the unique identifier of the resource assigned to the OIG User.

In the second identity rule component:
  • For an AD target application, sAMAccountName is a field on Microsoft Active Directory that represents the login name of the user account.

  • For an AD LDS target application, For an AD LDS target application, userPrincipalName is a field on AD LDS that represents the domain-specific name of the user.

  • User Login is the field on the OIM User form.

Both the rule components are joined using the OR logical operator.

Figure 3-4 shows the simple correlation rule for this connector that is applicable to both AD and AD LDS target systems.

Figure 3-4 Simple Correlation Rule for a Target Application

Description of Figure 3-4 follows
Description of "Figure 3-4 Simple Correlation Rule for a Target Application"

Predefined Situations and Responses

The Active Directory User Management connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-7 lists the default situations and responses for this connector that is applicable to both AD and AD LDS target systems. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-7 Predefined Situations and Responses for a Target Application

Situation Response

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 3-5 shows the situations and responses that the connector provides by default for both AD and AD LDS target applications.

Figure 3-5 Predefined Situations and Responses for a Target Application

Description of Figure 3-5 follows
Description of "Figure 3-5 Predefined Situations and Responses for a Target Application"

3.4.2 Correlation Rules for an Authoritative Application

When you create an Authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.

Predefined Identity Correlation Rules

By default, the Active Directory User Management connector provides a simple correlation rule when you create an Authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-8 lists the default simple correlation rule for an AD authoritative application. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-8 Predefined Identity Correlation Rule for an AD Authoritative Application

Target Attribute Element Operator Identity Attribute Case Sensitive?

__UID__

Equals

ObjectGUID

No

sAMAccountName

Equals

User Login

No

Note:

If you are using Microsoft AD LDS as the target system, then you must update the identity reconciliation rule by replacing sAMAccountName in the Target Attribute column with userPrincipalName.

The identity correlation rule for an AD target application is as follows:

(__UID__ Equals ObjectGUID) OR (sAMAccountName Equals User Login)

The identity correlation rule for an AD LDS target application is as follows:

(__UID__ Equals ObjectGUID) OR (userPrincipalName Equals User Login)

In the first identity rule component:
  • __UID__ is an attribute on the target system that uniquely identifies the user account.

  • ObjectGUID is the unique identifier of the resource assigned to the OIG User.

In the second identity rule component:
  • For an AD target application, sAMAccountName is a field on Microsoft Active Directory that represents the login name of the user account.

  • For an AD LDS target application, userPrincipalName is a field on AD LDS that represents the domain-specific name of the user.

  • User Login is the field on the OIG User form.

Both the rule components are joined using the OR logical operator.

Figure 3-6 shows the simple correlation rule for an AD authoritative application.

Figure 3-6 Simple Correlation Rule for an Authoritative Application

Description of Figure 3-6 follows
Description of "Figure 3-6 Simple Correlation Rule for an Authoritative Application"

Predefined Situations and Responses

The Active Directory User Management connector provides a default set of situations and responses when you create an Authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-9 lists the default situations and responses for both AD and AD LDS authoritative application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-9 Predefined Situations and Responses for an Authoritative Application

Situation Response

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Figure 3-7 shows the situations and responses for an authoritative application that the connector provides by default for both AD and AD LDS target systems.

Figure 3-7 Predefined Situations and Responses for an Authoritative Application

Description of Figure 3-7 follows
Description of "Figure 3-7 Predefined Situations and Responses for an Authoritative Application"

3.5 Reconciliation Jobs for the Connector

These are the reconciliation jobs that the connector creates after you create a target or an authoritative application

3.5.1 Reconciliation Jobs for a Target Application

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create a target application.

User Reconciliation Job

Use the Active Directory User Target Reconciliation job to reconcile user data from a target application.

Note:

In release 12.2.1.3.0 of the connector, a new job named Active Directory User Target Concurrent Recon has been introduced, which is similar to the Active Directory User Target Reconciliation job. The Active Directory User Target Concurrent Recon job is recommended for performing bulk reconciliation, reconciles user data from a target application in the multithreaded mode. You can search for and run this scheduled job from Oracle Identity System Administration. The parameters of this job is the same as that of the Active Directory User Target Reconciliation job.

Table 3-10 Parameters of the Active Directory User Target Reconciliation and Active Directory User Target Concurrent Recon Jobs

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Number of Batches

Enter the number of batches in which the connector must reconcile user records.

Default value: All

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base parameter and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base parameter. The connector does not include the child containers of the specified container in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then ensure that you do not include a space between the words "one" and "level."

Default value: subtree

Scheduled Task Name

This parameter holds the name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter.

Default value: Active Directory User Target Recon

Sort Direction

Use this parameter to specify whether the connector must sort the records that it fetches in ascending or descending order. The value of this attribute can be either asc or desc.

Default value: asc

Incremental Recon Attribute

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Note: Do not change the value of this attribute.

Sort By

Enter the name of the target system field by which the connector must sort records in a batch.

Default value: sAMAccountName

Note: If you are using AD LDS as the target system, then change the default value of this parameter to some other attribute (for example, cn) because the sAMAccountName attribute does not exist on the AD LDS target system.

Latest Token

This parameter holds the value of the uSNChanged attribute of a domain controller that the connector uses for reconciliation.

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this parameter. If you manually specify a value for this attribute, then the connector only user accounts whose uSNChanged value is greater than the Latest Token attribute value.

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: startsWith('userPrincipalName','John')

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

Batch Start

Enter the number of the target system record from which a batched reconciliation run must begin.

Default value: 1

This parameter is used in conjunction with the Batch Size, Number of Batches, Sort By, and Sort Direction parameters. All these parameters are discussed in Performing Batched Reconciliation.

Batch Size

Enter the number of records that the connector must include in each batch that it fetches from the target system.

Default value: 100

This attribute is used in conjunction with the Batch Start, Number of Batches, Sort By, and Sort Direction attributes. All these attributes are discussed in Performing Batched Reconciliation.

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Search Base

Enter the container in which the connector must search for user records during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the connector uses value specified as the value of the Container parameter of the Basic Configuration section as the value of this parameter.

Incremental Reconciliation Job

Use the Active Directory User Group Membership Recon job to reconcile user accounts with group changes. The first time you run this job, the connector fetches only the user account that was last updated in the target system and automatically populates the Sync Token parameter value with the latest timestamp. In the subsequent runs, the connector fetches only information about user accounts that have group changes.

Table 3-11 Parameters of the Active Directory User Group Membership Recon Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Scheduled Task Name

This parameter holds the name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter.

Default value: Active Directory User Group Membership Recon

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Users Page Size

Enter the number of records that the connector must fetch in each call to the target system during a reconciliation run.

Default value: 100

Timeout

Enter an integer value that specifies the number of seconds within which the connector must fetch the number of records specified in the Users Page Size parameter, failing which an exception is thrown.

Default value: 300

Sync Token

Ensure that this parameter is left blank when you run group membership reconciliation for the first time. The connector fetches only the last-updated user record from the target system and automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are updated since the last reconciliation run ended are fetched into Oracle Identity Manager.

User Group MemberShip Recon

Enter yes to specify that the connector must fetch details of a user’s group membership. Otherwise enter no, in which case the connector fetches only user data.

Default value: yes

Delete User Reconciliation Job

The Active Directory User Target Delete Recon job is used to reconcile data about deleted users from a target application. During a reconciliation run, for each deleted user account on the target system, the Active Directory resource is revoked for the corresponding OIM User.

Table 3-12 Parameters of the Active Directory User Target Delete Recon Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Sync Token

This parameter must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Governance.

After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Governance.

This attribute stores values in the following format:

<String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running.

A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER will be replaced with the name of the domain controller from which data about deleted records is fetched.

Scheduled Task Name

This parameter holds the name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter.

Default value: Active Directory User Target Delete Recon

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Delete Recon

This parameter specifies whether the connector must perform delete reconciliation.

Default value: yes

Note: Do not change the value of this attribute.

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

  • Active Directory Organization Lookup Recon

    This reconciliation job is used to synchronize organization lookup fields in Oracle Identity Governance with organization-related data in the target system.

  • Active Directory Group Lookup Recon

    This reconciliation job is used to synchronize group lookup fields in Oracle Identity Governance with group-related data in the target system.

The parameters for both the reconciliation jobs are the same.

Table 3-13 Parameters of the Reconciliation Jobs for Entitlements

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Decode Attribute

Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: distinguishedName

Filter

Enter a filter to filter out records to be stored in the lookup definition.

For more information about the Filter attribute, see Performing Limited Reconciliation.

Lookup Name

This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched.

Depending on the reconciliation job you are using, the default values are as follows:

  • For Active Directory Organization Lookup Recon - Lookup.ActiveDirectory.OrganizationalUnits

  • For Active Directory Group Lookup Recon - Lookup.ActiveDirectory.Groups

Object Type

Enter the type of object whose values must be synchronized.

Depending on the scheduled job you are using, the default values are as follows:

  • For Active Directory Organization Lookup Recon - OrganizationalUnit

  • For Active Directory Group Lookup Recon - Group

Note: Do not change the value of this attribute.

Code Key Attribute

Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: distinguishedName

Note: Do not change the value of this attribute.

3.5.2 Reconciliation Jobs for an Authoritative Application

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create an authoritative application.

User Reconciliation Job

The Active Directory User Trusted Recon job is used to reconcile user data from a target application.

Table 3-14 Parameters of the Active Directory User Trusted Recon Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Number of Batches

Enter the number of batches in which the connector must reconcile user records.

Default value: All

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base parameter and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base parameter. The connector does not include the child containers of the specified container in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then ensure that you do not include a space between the words "one" and "level."

Default value: subtree

Manager Id

Enter the distinguished name of a user who is a manager. The connector fetches all user records that have their manager properties set to this distinguished name.

If you are using Microsoft Active Directory as the target system, then the default value of this parameter is sAMAccountName.

If you are using Microsoft AD LDS as the target system, then set the value of this parameter to__UPN_WO_DOMAIN__.

Default value: sAMAccountName

Scheduled Task Name

This parameter holds the name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter.

Default value: Active Directory User Trusted Recon

Sort Direction

Use this parameter to specify whether the connector must sort the records that it fetches in ascending or descending order. The value of this attribute can be either asc or desc.

Default value: asc

Incremental Recon Attribute

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Maintain Hierarchy

Enter yes to specify that you want to maintain in Oracle Identity Governance the same organization hierarchy that is maintained on the target system. Otherwise, enter no.

Default value: no

Note: If you set this parameter to yes, then you must schedule the job for organization reconciliation (Active Directory Organization Recon) to run before this scheduled job.

Sort By

Enter the name of the target system field by which the connector must sort records in a batch.

Default value: samAccountName

Note: If you are using AD LDS as the target system, then change the default value of this parameter to some other attribute (for example, cn) because the sAMAccountName attribute does not exist on the AD LDS target system.

Latest Token

This parameter holds the value of the uSNChanged attribute of a domain controller that the connector uses for reconciliation.

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this parameter. If you manually specify a value for this attribute, then the connector only user accounts whose uSNChanged value is greater than the Latest Token attribute value.

Filter

Enter the expression for filtering records that the scheduled job must reconcile.

Sample value: startsWith('userPrincipalName','John')

For information about the filters expressions that you can create and use, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

Batch Start

Enter the number of the target system record from which a batched reconciliation run must begin.

Default value: 1

This parameter is used in conjunction with the Batch Size, Number of Batches, Sort By, and Sort Direction parameters. All these parameters are discussed in Performing Batched Reconciliation.

Batch Size

Enter the number of records that the connector must include in each batch that it fetches from the target system.

Default value: 100

This attribute is used in conjunction with the Batch Start, Number of Batches, Sort By, and Sort Direction attributes. All these attributes are discussed in Performing Batched Reconciliation.

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Search Base

Enter the container in which the connector must search for user records during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the connector uses value specified as the value of the Container parameter of the Basic Configuration section as the value of this parameter.

Delete User Reconciliation Job

The Active Directory User Trusted Delete Recon job is used to reconcile data about deleted users from an Authoritative application. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Table 3-15 Parameters of the Active Directory User Trusted Delete Recon Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Sync Token

This parameter must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Governance.

After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Governance.

This attribute stores values in the following format:

<String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running.

A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER will be replaced with the name of the domain controller from which data about deleted records is fetched.

Scheduled Task Name

This parameter holds the name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this attribute.

Default value: Active Directory User Trusted Delete Recon

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Delete Recon

This parameter specifies whether the connector must perform delete reconciliation.

Default value: yes

Note: Do not change the value of this attribute.