Friday, November 6, 2009

Oracle Identity Manager 9.1.0 - Active Directory Integration and User Provisioing - PENDING

Oracle Identity Manager - Integration of Microsoft Active Directory



Oracle Identity Manager -- Integration of Microsoft Active Directory

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager Connectors are used to integrate Oracle Identity Manager with third-party applications.

Integration OF Active Directory Contains Different Module

These are… Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure

Based on the type of data reconciled from the target system, reconciliation can be divided into the following types

Lookup Fields Reconciliation

To populate the Lookup.ADReconliation.GroupLookup lookup definition, the following fields of
AD Groups are reconciled:

• sAMAccountName
• objectGUID


Group Reconciliation

The reconciliation module extracts the following elements from the target system to construct AD Group reconciliation event records

• sAMAccountName
• objectGUID
• Organization Name
• instanceType
• cn


User Reconciliation

The reconciliation module extracts the following elements from the target system to construct AD User reconciliation event records:

• sAMAccountName
• objectGUID
• name
• memberOf
• sn
• cn
• Initials


Provision

Provisioning involves creating or modifying a user's access rights on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operationsing Module For this target system, provisioning is divided into the following types

Organization Provisioning

The following fields are provisioned:

• USN Create
• USN Change
• objectGUID
• Organization Name

This is the value of the Name field in the Create Organization form of the Oracle Identity Manager Administrative and User Console

Group Provisioning

The following fields are provisioned:

• Group Name
• Organization Name
• objectGUID
• Group Type
• Group Display Name

User Provisioning

The following fields are provisioned:

• User ID
• Password
• objectGUID
• Organization Name
• First Name
• Last Name
• Middle Name
• User Must Change Password at Next Logon
• Password Never Expires
• Account Expiration Date
• Full Name
• Group Name

Following table lists the functions that are available with this connector

Multilanguage Support

The connector supports the following languages:

Chinese Simplified
Chinese Traditional
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

Files and Directories

Functionality of the Files Associated with AD-Integration and User Provisioning

lib/xliActiveDirectory.jar This JAR file contains the class files required for provisioning
lib/xliADRecon.jar This JAR file contains the class files required for reconciliation
Files in the resources directory resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.

scripts/install.bat This batch file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a Microsoft Windows operating system

scripts/install.sh This file is used to add a certificate to the keystore if Oracle Identity Manager is installed on a UNIX-based system
test/config/config.properties This file is used to set input test data for the connector test suite
test/lib/xliADTest.jar This JAR file contains the class files required for the connector test suite
test/scripts/runADTest.bat This file is used to run a test using the connector test suite
xml/xliADResourceObject.xml This XML file contains definitions for the connector components related to reconciliation and provisioning.

These components include:
All resource objects for reconciliation and provisioning

IT resource types
Custom process forms
Process task and adapters (along with their mappings
Login resource objects
Provisioning process
Pre-populate rules

xml/xliADXLResourceObject.xml This XML file contains the configuration for the objects, such as Xellerate User and Xellerate Organization, which are specific to trusted sources. You must import this file only if you plan to use the connector in trusted source reconciliation mode

Configuring the Target System -----

Ensuring That the Parent Organization Exists in Microsoft Active Directory - You must ensure that the parent organization exists in the target server installation. The parent organization is specified as the value of the Root Context parameter in the IT resource definition

Enabling or Disabling Password Policies on Microsoft Active Directory ---- On Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies. You can choose whether or not you want to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory.

If you do not configure SSL and try to provision a Microsoft Active Directory user through Oracle Identity Manager, then the user's password cannot be updated by using Oracle Identity Manager. Therefore, if the communication is not secured by SSL, then you must disable any existing password policies in Microsoft Active Directory. This is achieved by disabling the "Passwords must meet complexity requirements" policy setting.

If you configure SSL and you want to enforce both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

To enable or disable the "Passwords must meet complexity requirements" policy setting:

1.On the Microsoft Windows computer hosting the Active Directory domain controller on which you are installing the password synchronization module, start the Domain Security Policy application.

To do this, on the Microsoft Windows computer, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.

2.If you are using Microsoft Active Directory 2003, then directly proceed to the next step.

If you are using Microsoft Active Directory 2000, then select Window Settings on the left pane of the Domain Security Policy application window and then proceed to the next step.

3.Select Security Settings, expand Account Policies, and then click Password Policy.

4.Double-click Passwords must meet complexity requirements.

5.In the Password Must Meet Complexity Requirements Properties dialog box, select Define this policy setting and then select:

◦Enabled, if you want to enable password policies

◦Disable, if you do not want to enable password policies

6.Click OK.

Copying the Connector Files and External Code Files

lib/xliActiveDirectory.jar OIM_home/xellerate/JavaTasks
lib/xliADRecon.jar OIM_home/xellerate/ScheduleTask

Files in the resources directory OIM_home/xellerate/connectorResources
Files in the scripts directory OIM_home/xellerate/scripts

After you copy the install.bat (or install.sh) file, use a text editor to open the file and specify the actual location of the JDK directory in the file.

Directories and files in the test directory OIM_home/xellerate/test

Files in the xml directory OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml

ldapbp.jar file into the OIM_home/xellerate/ThirdParty directory on the Oracle Identity Manager server

Installing Oracle Access Manager On Oracle Enterprise Linux

Installing OAM on Oracle Enterprise Linux 4