The connector provides support for adding dynamic auxiliary object classes. In addition, you can add the attributes of these dynamic auxiliary object classes for reconciliation and provisioning. During group provisioning, by default, the value that you specify for the Group Name field on the OIM process form, is entered as the value of the Group Name and Group Name pre-Windows attributes of the target system.
If you want to specify different values for the Group Name and Group Name pre-Windows attributes in the target system, then you must create the Group Name pre-Windows field on the OIM process form. The connector provides support for provisioning groups of the type Security Group - Universal. If you are using AD LDS as the target system, then add custom object categories for provisioning and reconciliation.
The connector supports any scripting language that has a script executor in the ICF. Currently, there are two script executor implementations: a Windows shell script executor batch scripts and a Boo script executor. Although Visual Basic scripts are not directly supported, a Visual Basic script can be called using a shell script.
See Action Scripts for more information. The connector can be configured for compatibility with high-availability target system environments. It can read information about backup target system hosts from the BDCHostNames parameter of the Active Directory IT resource and apply this information when it is unable to connect to the primary host. Lookup definitions used during reconciliation and provisioning are either preconfigured or can be synchronized with the target system.
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Organizational Unit lookup field to select an organizational unit from the list of organizational units in the lookup field. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager.
Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager. For example, in the Lookup. Groups lookup definition, values will be stored in the following format:. During a provisioning operation, lookup fields are populated with values corresponding to the target system that you select for the operation.
The "Lookup Definition" column of Table lists the Oracle Identity Manager lookup definitions that correspond to target system lookup fields listed in the "Target System Field" column of the table. You use the Active Directory Organization Lookup Recon scheduled job to synchronize this lookup definition.
This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
The other lookup definitions are as follows:. Preconfigured Lookup Definitions for User Operations. Preconfigured Lookup Definitions for Group Operations. The Lookup. ActiveDirectory lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations. Table lists the default entries in this lookup definition. If you want to use dynamic auxiliary object classes, then you must add a new entry to this lookup definition.
If you want to use user-defined object classes, then you must update this lookup definition. Table Entries in the Lookup.
ActiveDirectory Lookup Definition. This entry holds the number of unsuccessful login attempts after which a user's account must be locked. This entry specifies whether the GUID of an object must be used for searching records during reconciliation.
Enter yes if you want the connector to create a home directory for user accounts. Otherwise, enter no. This entry holds the name of the lookup definition that contains group-specific configuration properties. Do not modify this entry.. This entry specifies whether GUID is stored in its native format. This entry is used by the connector internally. Note: Do not change the value of this entry. This entry holds the name of the object class to which newly created users on the target system are assigned.
If you create a custom object class, then specify the name of that object class. For example, InetOrgPerson. This entry holds the name of the lookup definition that contains organization-specific configuration properties. This lookup definition is used as the configuration lookup definition when you perform reconciliation of organizational units. This entry holds the page size of records fetched in each call to the target system during a reconciliation run.
Paging splits the entire result set of a query into smaller subsets called, appropriately enough, pages. In general, it is recommended to set this value to the maximum page size for simple searches. By setting the page size to the maximum value, you can minimize the network roundtrips necessary to retrieve each page, which tends to be the more expensive operation for simple searches.
No exception will be generated in this case. In some cases, you might need to specify a smaller page size to avoid timeouts or overtaxing the server.
Some queries are especially expensive, so limiting the number of results in a single page can help avoid this. This entry determines the search scope of users, groups, or organizational units within the domain name specified as the value of the DomainName attribute. Enter no if you want the connector to search for users, groups, or organizational units only from the specified domain.
The domain name is specified as the value of the DomainName parameter of the IT resource. Note that records are fetched from the domain controller specified as the value of the SyncDomainController parameter of the IT Resource. Enter yes if you want the connector to search for users, groups, or organizational units from the specified domain and its child domains. In this case, the global catalog server is used for fetching records. Note that you specify the global catalog server as the value of the SyncGlobalCatalogServer parameter of the IT resource.
The connector will automatically find the right domain controller to fetch complete user information after obtaining the distinguished name from the global catalog server. Otherwise, regardless of the object class, the whole tree is removed recursively.
This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry. Trusted lookup definition holds connector configuration entries that are used during trusted source reconciliation.
Trusted Lookup Definition. Enter yes to specify that you want to maintain in Oracle Identity Manager the same organization hierarchy that is maintained on the target system. The domain name is specified as the value of the DomainName attribute. Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource. Configuration Lookup Definition.
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup. ProvAttrMap for more information about this lookup definition. This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations.
See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. This entry holds the name of the lookup definition that maps resource object fields and target system attributes.
ReconAttrMap for more information about this lookup definition. This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation.
See Configuring Transformation of Data During Reconciliation for more information about adding entries in this lookup definition. This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. Trusted lookup definition holds configuration entries that are specific to the user object type.
This lookup definition is used during trusted source user reconciliation runs. This entry holds the name of the lookup definition that maps reconciliation fields to their default values. Defaults for more information. ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is preconfigured and is used during provisioning operations. You can add entries in this lookup definitions if you want to map new target system attributes for provisioning.
Table Default Entries in the Lookup. ProvAttrMap Lookup Definition. You must enter the manager name in the DN format. During a provisioning operation, you must enter the full, absolute path of the home directory, as shown in the sample value. The profile can be roaming or mandatory. A roaming profile remains the same, regardless of the computer from which the user logs in. The user can make changes to a roaming profile, but not to a mandatory profile. Any changes a user makes while logged in with a mandatory profile are retained only for that Terminal Services session.
The changes are lost when the user starts another Terminal Services session. During a provisioning operation, the Middle Name field on the process form is prepopulated with the value entered in the Middle Name field on the OIM User form. If the value is yes check box is selected , then the user must change the password at next logon. This field is on both the process form and the OIM User form. It is a mandatory field on the OIM User form. During a provisioning operation, the Last Name field on the process form is prepopulated with the value entered in the Last Name field on.
During a provisioning operation, the First Name field on the process form is prepopulated with the value entered in the First Name field on the OIM User form. During a provisioning operation, the Password field on the process form is prepopulated with the value entered in the Password field on the OIM User form. If SSL is configured between Oracle Identity Manager and the target system, then the Password field on the process form is a mandatory field.
This connector uses ADSI to set the password of the user. This API sets the user's unicodePwd attribute. See the following URL for more information:. During a Create User provisioning operation, the cn and displayName fields are populated with a combination of the user's first name, middle initial, and last name entered on the OIM User form.
Specifies whether or not Password is required. If it is true, then there is no need to specify the password. If it is false, then password is required. During a provisioning operation, the User ID field on the process form is prepopulated with the value entered in the User.
This is a mandatory field in Microsoft Active Directory. Note: The value for UserPrincipalName must be entered in the format shown in the following example:. The user principal name is the domain-specific name of the user. This field is pre-populated on the Administrative and User Console. Note: When you update this field, you can change the User ID part but you must not change the domain name. If you change the domain name, then the user will not be matched on the target system.
ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is preconfigured and is used during target resource reconciliation. You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. ReconAttrMap Lookup Definition. Note: Reconciliation of values in this field is enabled by the Remote Manager.
Changes are lost when the user starts another Terminal Services session. Flag that indicates whether or not the user must change the password at next logon. ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations.
On the partitions and hierarchies page, select all namespaces with objects you plan to import and export. For each namespace, it is also possible to configure connectivity settings that would override the values specified on the Connectivity screen. If these values are left to their default blank value, the information from the Connectivity screen is used. It is also possible to select which containers and OUs the Connector should import from and export to.
When performing a search this is done across all containers in the partition. In cases where there are large numbers of containers this behavior leads to performance degradation.
Starting in the March update to the Generic LDAP connector searches can be limited in scope to only the selected containers. This can be done by selecting the checkbox 'Search only in selected containers' as shown in the image below.
This page always have a preconfigured value and cannot be changed. If the server vendor has been identified, then the anchor might be populated with an immutable attribute, for example the GUID for an object.
If it has not been detected or is known to not have an immutable attribute, then the connector uses dn distinguished name as the anchor.
This section provides information of aspects that are specific to this Connector or for other reasons are important to know. If not, some entries in the delta change log might be omitted.
For Novell eDirectory, the delta import is not detecting any object deletes. For this reason, it is necessary to run a full import periodically to find all deleted objects. This process allows the sync engine to find and dissimilarities between the LDAP server and what is currently in the connector space. Skip to main content. Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.
Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base parameter and all of its child containers. Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base parameter.
The connector does not include the child containers of the specified container in the search. Note: If you want to enter onelevel, then ensure that you do not include a space between the words "one" and "level.
Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter. Use this parameter to specify whether the connector must sort the records that it fetches in ascending or descending order.
The value of this attribute can be either asc or desc. Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings. The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.
This parameter holds the value of the uSNChanged attribute of a domain controller that the connector uses for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this parameter. If you manually specify a value for this attribute, then the connector only user accounts whose uSNChanged value is greater than the Latest Token attribute value.
All these parameters are discussed in Performing Batched Reconciliation. Enter the number of records that the connector must include in each batch that it fetches from the target system. All these attributes are discussed in Performing Batched Reconciliation. Note: If you configure the connector to provision users to a custom class for example, InetOrgPerson then enter the value of the object class here.
Note: If you do not specify a value for this attribute, then the connector uses value specified as the value of the Container parameter of the Basic Configuration section as the value of this parameter. Incremental Reconciliation Job.
The first time you run this job, the connector fetches only the user account that was last updated in the target system and automatically populates the Sync Token parameter value with the latest timestamp. In the subsequent runs, the connector fetches only information about user accounts that have group changes. Enter the number of records that the connector must fetch in each call to the target system during a reconciliation run.
Enter an integer value that specifies the number of seconds within which the connector must fetch the number of records specified in the Users Page Size parameter, failing which an exception is thrown.
Ensure that this parameter is left blank when you run group membership reconciliation for the first time. The connector fetches only the last-updated user record from the target system and automatically enters a value for this attribute in an XML serialized format.
From the next reconciliation run onward, only data about records that are updated since the last reconciliation run ended are fetched into Oracle Identity Manager. Otherwise enter no , in which case the connector fetches only user data.
Delete User Reconciliation Job. The Active Directory User Target Delete Recon job is used to reconcile data about deleted users from a target application. During a reconciliation run, for each deleted user account on the target system, the Active Directory resource is revoked for the corresponding OIM User. This parameter must be left blank when you run delete reconciliation for the first time.
This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Governance. After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Governance.
A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. Note: Do not change the value of this attribute. Reconciliation Jobs for Entitlements. This reconciliation job is used to synchronize organization lookup fields in Oracle Identity Governance with organization-related data in the target system.
This reconciliation job is used to synchronize group lookup fields in Oracle Identity Governance with group-related data in the target system. Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition specified as the value of the Lookup Name attribute.
For more information about the Filter attribute, see Performing Limited Reconciliation. This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition specified as the value of the Lookup Name attribute. These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create an authoritative application.
The Active Directory User Trusted Recon job is used to reconcile user data from a target application. Enter the distinguished name of a user who is a manager. The connector fetches all user records that have their manager properties set to this distinguished name.
Note: If you set this parameter to yes , then you must schedule the job for organization reconciliation Active Directory Organization Recon to run before this scheduled job. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted. Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this attribute.
Previous Next JavaScript must be enabled to correctly display this content. Default value: Active Directory Connector Server Domain Name Yes Enter the domain name for the Microsoft Active Directory domain controller in which you are creating an application by using the connector.
Sample value: example. Container Yes Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Governance, respectively. Sample values: w2khost Sample value: Note: Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.
Default value: no Note: For resetting user password during provisioning operations, the communication with the target system must be secure. Description Object Class No This parameter holds the name of the object class to which the connector assigns newly created users on the target system. Default value: User Lockout Threshold No Enter the number of unsuccessful login attempts after which a user's account must be locked.
No This parameter specifies whether the connector must use the GUID of an object for searching records during reconciliation. Default value: yes Note: Do not change the value of this entry. Default value: true Note: Do not change the value of this entry. Page Size No Enter the page size of the records fetched by the connector in each call to the target system during a reconciliation run. Default value: Search Child Domains No This parameter determines the search scope of users, groups, or organizational units within the domain name specified as the value of the DomainName attribute.
Default value: no Connector Name Yes This parameter holds the name of the connector class. Value: ActiveDirectory. Connector Bundle Version Yes This parameter hods the version of the connector bundle class. Value: Default value: yyyyMMddHHmmss. No Enter yes to specify that you want to maintain in Oracle Identity Governance the same organization hierarchy that is maintained on the target system. Default value: false Create Home Directory No This parameter holds the information whether a home directory must be created.
Default value: 10 Pool Max Wait No Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: Pool Min Evict Idle Time No Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: 1. Deselect the Provision Field checkbox.
Select the Recon Field checkbox. Provision Field? Recon Field? Key Field? Case Insensitive? Group Entitlement Attributes Table lists the groups-specific attribute mappings between the process form fields in Oracle Identity Governance and target system attributes.
Predefined Identity Correlation Rules By default, the Active Directory User Management connector provides a simple correlation rule when you create a Target application. Predefined Situations and Responses The Active Directory User Management connector provides a default set of situations and responses when you create a Target application. Predefined Identity Correlation Rules By default, the Active Directory User Management connector provides a simple correlation rule when you create an Authoritative application.
Predefined Situations and Responses The Active Directory User Management connector provides a default set of situations and responses when you create an Authoritative application. In Forefront Identity Manager, connectors were known as management agents. Many of the connectors, such as connectors to provision users into Active Directory, are delivered as part of the MIM Synchronization Service installation and the installation package of Azure AD Connect.
In addition, more connectors, such as to third-party directory servers, are shipped as a separate download so they can be more frequently updated to add support for connecting to MIM updated versions of third-party target systems.
This topic is primarily for MIM Connectors only. Unless explicitly called out below, these Connectors are not supported for install on Azure AD Connect. This topic lists all versions of the generic connectors package that have been released separately from MIM.
If you have been using guest invite in build 1. Compared to the previous connector release, it contains no improvements or updates for MIM customers.
0コメント