1. Configuring the Microsoft Active Directory User Management Application
  2. Frequently Asked Questions

9 Frequently Asked Questions

Find answers to frequently asked questions related to the functionality of the Microsoft Active Directory User Management connector.

  1. What is the recommended system configuration for the computer installing and running the Connector Server?

    The computer on which you want to install and run the Connector Server must meet the following requirements:

    • Intel Pentium Dual Core 2 GHz with 8 GB RAM.

    • Microsoft Windows Server 2008 (both 32-bit or 64-bit), or Microsoft Windows Server 2012, 2016 or 2019 (64-bit).

  2. Where should I install the Connector Server for the Active Directory User Management connector?

    Install the Connector Server on an computer that belongs to target system domain.

  3. If the target system contains more than one domain, then should the Connector Server be installed on each domain?

    In a parent-child domain environment, a single Connector Server installed on the parent domain computer is sufficient. In addition, in a forest with disconnected domains, a single Connector Server is required for all the domains.

  4. Can Active Directory User Management connector release 9.1.x coexist with Active Directory User Management connector release 12.2.x?

    Yes. Two versions of the same connector can coexist. This can be achieved by cloning the Active Directory User Management 12.2.x connector XML and using it for installing the connector with the new name.

  5. How to establish a connection between Active Directory User Management connector release 12.2.1.3.0 and an AD LDS instance?

    The following is the procedure to establish a connection between Active Directory User Management connector release 12.2.1.3.0 and an AD LDS instance:

    1. Set the value of the Is ADLDS? parameter of the Basic Configuration section to yes.

    2. Specify a value for the Port parameter of the Basic Configuration section.

    3. In the Lookup.ActiveDirectory.GM.Configuration lookup definition, search for and replace the Lookup.ActiveDirectory.GM.ProvAttrMap and Lookup.ActiveDirectory.GM.ReconAttrMap decode values with Lookup.ActiveDirectoryLDS.GM.ProvAttrMap and Lookup.ActiveDirectoryLDS.GM.ReconAttrMap, respectively.

  6. What are the steps to ensure that the service account credentials are valid?

    To ensure that the service account credentials are valid, test the connection to the target system by using an LDAP browser. After the connection is tested, provide the details in the Basic Configuration section. While providing values for parameters in the Basic Configuration section, ensure that you use the following format to specify a value for the Domain Name parameter:

    DOMAIN_NAME\USER_NAME

  7. Can the Active Directory User Management connector be used to move a user from one OU to another?

    Yes. You can use the Active Directory User Management connector to move a user from one OU to another if both the OUs are in the same forest. In other words, you can use the connector to move a user from one OU to another if the OU to which the user is to be moved to is present in the organization lookup that is populated after organization lookup field synchronization.

  8. If I customize the connector, should I modify the values in the Target Attribute column (for example, OIM Employee Type, OIM User Type, and __UID__, and _PARENTCN__) of the Schema page for an Authoritative application?

    No. The Target Attribute column on the Schema page for an Authoritative application lists the attributes of the target system. Some of the target system attributes like OIM Employee Type, Manager Id, __UID__, __PARENTCN__, __ENABLE__, and OIM User Type are handled specially. Therefore, do not modify the Target Attribute column values. The following is a description of some of the attributes in the Target Attribute column:

    • OIM Employee Type: The value of this attribute is the same as the value of the OIM Employee Type attribute of the Active Directory User Trusted Recon scheduled job.

    • OIM User Type: The value of this attribute is the same as the value of the OIM User Type attribute of the Active Directory User Trusted Recon scheduled job.

    • Manager Id: Oracle Identity Governance handles the Manager Id attribute differently. It is not the same as the manager attribute on the target system. The Manager Id attribute contains the sAMAccountName of the user's manager and not the manager DN.

    • __UID__: This attribute retrieves the UID of the user.

    • __PARENTCN__: This attribute retrieves the container of the user. This attribute is used if you want to maintain in Oracle Identity Governance the same organization hierarchy that is maintained on the target system.

    • __ENABLE__: This attribute specifies whether the user in the target system is enabled.

  9. Why cannot I see the log files corresponding to the connector operations in the computer hosting Oracle Identity Governance?

    The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Therefore, all connector logs are generated on the computer hosting the Connector Server. See Enabling Logging for Microsoft Active Directory User Management Connector for more information.

  10. All connector operations are performed by using the ICFINTG layer. What is the logger name used for enabling logging for ICFINTG?

    The logger name used for enabling logging for ICFINTG is ORACLE.IAM.CONNECTORS.ICFCOMMON. Note that the logger name is case sensitive.

  11. I performed trusted source and target resource reconciliation runs by specifying a value for the Filter attribute of the scheduled job. The logs of the Connector Server display information that the connector is returning the objects. However, I neither see any user records reconciled into Oracle Identity Governance nor any logs on Oracle Identity Governance. What is wrong here?

    When you perform a reconciliation run by specifying a value for the Filter attribute (in other words, when you perform limited reconciliation), the connector converts the filter syntax to the LDAP filter syntax, and then searches for records that match the filter criteria. Note that the search at this point is a case-insensitive search.

    The connector returns the records retrieved by the search to ICF. Before passing on these records to the reconciliation engine in Oracle Identity Governance, ICF applies the same filter criteria on the records returned by the connector. However, at this point, ICF performs a case-sensitive search. Therefore, it is possible that records are dropped by ICF and are never returned to the reconciliation engine.

    The following example explains this use case:

    Suppose there exist records on the target with last names (sn) "Doe" and "Doel". During reconciliation, if you specify startsWith('sn','do') as the value of the Filter attribute, then the connector searches for and returns to ICF all records whose Last Name starts with "do" (in this example, the connector returns records with last names Doe and Doel). Before passing on the records returned by the connector to the reconciliation engine in Oracle Identity Governance, ICF applies the same filter on the search records. However, no reconciliation event is generated as ICF performs a case-sensitive search and drops the two records.

  12. Is Remote Manager required for provisioning and reconciling Terminal Service attributes by using this release of the Active Directory User Management Connector?

    No. From the 11.1.1.x version of this connector, you must deploy the .NET Connector Server on any computer in the Active Directory domain. It is not mandatory to deploy the Connector Server on the domain controller or computer hosting the target system. Apart from this, there are no prerequisites for provisioning and reconciling Terminal Services attributes. In other words, you do not need Remote Manager or another Connector Server on the domain controller. Provisioning and reconciliation of Terminal Service attributes is the same as provisioning or reconciling any other attribute.

  13. Is SSL mandatory for setting passwords for users in the target system? Can I set password for a user if I set the value of the UseSSL parameter of the Basic Configuration section to no?

    SSL is not mandatory for setting user passwords. You can set password for a user even if you set the value of the UseSSL basic configuration parameter to no.

    If you set the value of the UseSSL parameter to yes, then the channel between the Connector Server and target system is encrypted. In addition, secure communication is set up by using certificates.

    If you set the value of the UseSSL parameter to no, then the channel between the Connector Server and target system is encrypted by using the ADSI "Secure" mode for communication.

    For performing a password reset provisioning operation, the communication channel must be encrypted. If you are using Microsoft AD as the target system, then as discussed in the preceding paragraphs, the channel between the Connector Server and target system is encrypted. Therefore, you can perform password reset provisioning operations without configuring SSL.

    If you are using Microsoft AD LDS as the target system, then the default communication channel between the Connector Server and target system is not "secure". Therefore, it is mandatory to configure SSL between the Connector Server and Microsoft AD LDS for the password reset functionality to work as expected.

  14. Can the Active Directory User Management connector version 12.2.1.3.0 manage windows local account?

    No.

  15. Where can I find the latest version of the Active Directory User Management Connector guide?

    You can find the latest version of the Active Directory User Management Connector guide and all other ICF connector guides at the following location:

    https://docs.oracle.com/middleware/oig-connectors-12213/docs.htm

  16. After extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory, I observed some DLLs. Does it matter whether the computer hosting the Connector Server is 32-bit or 64-bit?

    No. You can use the same DLLs on both 32-bit and 64-bit computers.

  17. I want to add users to and remove from a certain Active Directory group for provisioning and de-provisioning events, but I do not want to assign any permissions for modifying the user objects. Can I install this connector and use only user to group management part with limited permission on only group objects to change members attribute? What are the minimum permissions required for this connector?

    Managing only user-group membership is possible by providing the credentials of the user who has been delegated the control (by using the Delegation of Control Wizard in the target system) for the following tasks, in the Basic Configuration section:

    • Read all user information

    • Create, delete and manage groups

    • Modify the membership of a group

    With these credentials, you can perform reconciliation, lookup and manage groups, but not create or update user attributes.

  18. Can the Active Directory User Management connector manage a forest containing a single parent domain with many child domains using only a single AOB application?

    Yes, it is possible with a single application instance by performing the following steps:

    • Set the value of the Search Child Domains parameter to Yes in the of Advanced Settings section. See the "Search Child Domains" row in Advanced Settings Parameters for more information.

    • Ensure to specify the user name of an account that has the 'Account Operators' role on all these sub domains as the value of the Admin User Name parameter of Basic Configuration.

  19. Should the Admin User Name parameter of the Basic Configuration section contain the distinguished name of the user?

    No. You must use only the following format to specify a value for this parameter:

    DOMAIN_NAME\USER_NAME

    See Basic Configuration Parameters for more information about the Admin User Name parameter of Basic Configuration.

  20. Any user deleted on the target system will be stored in the DeletedObjects container. Can I expect the same behavior if I use the Active Directory User Management connector?

    Yes.

  21. Can a single Connector Server be used to deploy the Active Directory User Management connector bundle and Exchange connector bundle?

    Yes. A single Connector Server can both the Active Directory User Management and Exchange connector bundles. While deploying the Exchange connector, ensure not to replace the existing ActiveDirectory.Connector.dll file on the Connector Server, if any patch was applied on the Active Directory User Management connector.

  22. What happens when the computer (specified as the value of the LDAP Host Name basic configuration parameter) becomes unavailable during automatic provisioning? How to configure the connector to be compatible with high availability (HA) target system environments?

    When the computer (specified as the value of the LDAP Host Name parameter of the Basic Configuration section) becomes unavailable, the connector performs in one of the following manners:

    • If a value has been specified for the Backup Host Names parameter of the Basic Configuration section, then the connector tries to connect to any of the backup domain controllers mentioned in the Backup Host Names parameter. You can configure the connector to be compatible with HA target systems environments by specifying a value for the Backup Host Names parameter.

    • If no value has been specified for the LDAP Host Name and Backup Host Names parameters, then the connector connects to any of the domain controllers available in the same domain. This is called serverless bind.

  23. What happens when the Connector Server specified in the Basic Configuration section becomes unavailable?

    If the Connector Server is not configured for HA and it becomes unavailable, then the "connection refused" error is encountered.

    To configure the Connector Server for HA, see the "Configuring Connector Load Balancer" section in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

  24. Will there be an issue if I specify a value for the Port parameter of the Basic Configuration section while using Microsoft Active Directory as a target system?

    No. This is because the connector first checks for the value of the Is ADLDS? parameter. If the value of the Is ADLDS? parameter is yes, then the connector uses the value of the Port parameter. However, Oracle recommends not to specify a value for Port parameter if you are using Microsoft Active Directory as the target system.

  25. Can I perform user provisioning operations without configuring SSL between Oracle Identity Governance and Microsoft Active Directory? In addition, is the presence of the SSL certificate of Microsoft Active Directory required in both Oracle Identity Governance and the connector to perform all provisioning operations including password changes?

    If you are using Microsoft Active Directory as the target system, then SSL is not mandatory. The Active Directory User Management connector uses ADSI secure mode for all provisioning operations, including password change provisioning operations. Therefore, password change provisioning operations can be handled without configuring SSL between Oracle Identity Governance and Microsoft Active Directory. However, if you are using AD LDS as the target system, then SSL is mandatory to perform password change provisioning operations.

  26. Will changes in AD groups for a user be reconciled during incremental reconciliation?

    Yes. The Active Directory Group Membership Recon can reconcile group membership changes during incremental reconciliation.

  27. Explain the appropriate use of the Domain Controller and Global Catalog Server parameters of the Basic Configuration section.

    The Domain Controller and Global Catalog Server parameters of the Basic Configuration section are used only during reconciliation. If the connector must perform reconciliation against a domain controller, then the Domain Controller parameter is used.

    If the connector must perform reconciliation against the global catalog server, then the Global Catalog Srver parameter is used. The following are the steps to be performed for using these parameters:

    1. Set the value of the Search Child Domains parameter of the Advanced Settings section to yes.

    2. Enter the global catalog server host name as the value of the Global Catalog Server parameter of the Basic Configuration section.

    See Enabling Reconciliation and Provisioning Operations Across Multiple Domains for more information.

  28. What are the minimum permissions to be assigned to a user to fetch deleted user records from the target system?

    By default the service account with the Account Operators role, does not have permission to read information from the Delete Objects container. See Assigning Permissions to Perform Delete User Reconciliation Runs for more information.

  29. Where do I find the log files for connector installation?

    You find the log files for connector installation, Oracle Identity Governance server log and diagnostic log, in the following location:

    DOMAIN_HOME/servers/oim_server1/logs

  30. How to create users in a specific OU in the target system?

    You can create users in a specific OU in the target system, during provisioning, by selecting a value from the Organization Name lookup field on the AD User Form page.

  31. When a group or an OU is created in the target system, will their parent organization be displayed in Oracle Identity Governance?

    When a group or an OU is created in the target system, its parent organization is not displayed in Oracle Identity Governance. Parent organizations must be reconciled separately. However, the organization hierarchy will not be maintained. Parent organizations can be reconciled by running the Active Directory Organization Recon scheduled job.

  32. Will a new group or OU be created in Oracle Identity Governance if I rename a group or an OU in the target system?

    Yes.

  33. What certificate must be exported while configuring SSL between Oracle Identity Governance and the Connector Server?

    While configuring SSL between Oracle Identity Governance and the Connector Server, export the SSL certificate (.cer file) from the computer hosting the Connector Server machine and add it to a new certificate store on the same computer. Note that the new certificate store must contain only one certificate. After configuring the details of the new certificate store in the ConnectorServer.exe.Config file, copy the exported certificate to the machine on which Oracle Identity Governance is running. Add the certificate to Oracle Identity Governance JDK store and Oracle WebLogic keystore. See Configuring SSL for Microsoft Active Directory and Microsoft AD LDS for more information.

  34. Is it correct that all traffic from Oracle Identity Governance to the target system passes through the Connector Server and there is no need to open firewall ports for direct access anymore?

    Yes, this is correct.

  35. What protocol is used for communication between Oracle Identity Governance and the target system?

    TCP protocol is used for communication between Oracle Identity Governance and the target system.

  36. Connector Architecture states the default communication between the .NET Connector Server and target system is "secure." How is this achieved?

    This connector uses the ADSI API that provides an option for specifying the type of authentication to use. See the following Microsoft Developer Network page for more information:

    http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.authenticationtype%28v=vs.90%29.aspx

    If you set the value of the UseSSL parameter of the Basic Configuration section to no, then secure authentication as discussed in the following page:

    http://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes%28v=vs.90%29.aspx