| Oracle® Identity Manager Connector Guide for Oracle Internet Directory Release 9.0.4 Part Number E10436-08 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for Oracle Internet Directory Release 9.0.4 Part Number E10436-08 |
|
|
View PDF |
This chapter provides an overview of the updates made to the software and documentation for the Oracle Internet Directory connector in release 9.0.4.7.
See Also:
The earlier release of this guide for information about updates that were new for that releaseThe updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss software updates:
The following is a software update in release 9.0.4.1:
The xliOID.jar file has been split into two files, OIDProv.jar and OIDRecon.jar. Corresponding changes have been made in the following sections:
The following are resolved issues in release 9.0.4.1_6673431:
| Bug Number | Issue | Resolution |
|---|---|---|
| 6673431 | Delete reconciliation was run after trusted source reconciliation. This sequence resulted in deletion of some OIM Users who were not actually deleted on the target system. | This issue has been resolved. During a trusted source reconciliation run, the API that implements Delete reconciliation is called before reconciliation of existing target system records. |
The following are resolved issues in release 9.0.4.2:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7003824 | If you added an object class and its attributes, then subsequent Create User provisioning operations failed. An error message similar to the following one was displayed as the outcome of the provisioning operations:
|
This issue has been resolved. You can now add an object class and then perform Create User provisioning operations. See "Adding New Object Classes for Provisioning and Reconciliation" for more information.
Note: A trusted source reconciliation run fails if it involves user-defined fields (UDFs). This issue is tracked through Bug 7047363. |
The following is a software update in release 9.0.4.3:
From Oracle Identity Manager release 9.1.0 onward, the Administrative and User Console provides the Connector Installer feature. This feature can be used to automate the connector installation procedure.
See "Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later" for details.
The following are resolved issues in release 9.0.4.4:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7257647 | The connector did not support batched or paged reconciliation. There were performance issues related to this limitation. | The connector now supports paged reconciliation. You can implement this feature if the target system is Oracle Internet Directory 10.1.4.0.1 or later. See "Paged Reconciliation" for more information. |
| 7306055 | There was scope for improvement in the performance of the following provisioning operations:
|
The performance of provisioning operations that involve group or role membership changes has been enhanced. |
The following are resolved issues in release 9.0.4.5:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7564492, 6334595, 6317860 | Incremental reconciliation was not supported.
If you deleted one user from one organization on the target system and then performed trusted source delete reconciliation, then all users were deleted from all organizations in Oracle Identity Manager. During reconciliation, user data was fetched from the target system, regardless of whether or not it had been modified. |
Incremental reconciliation is now supported. |
| 6312504 | IT resource parameters for the names of the lookup definitions for reconciliation and provisioning were set to NULL when you restarted Oracle Identity Manager. | The names of the lookup definitions are set as the default values of the IT resource parameters. These parameters are not set to NULL when you restart Oracle Identity Manager. |
| 6168631 | In earlier releases, you had to use the orcladmin account on the target system for reconciliation and provisioning operations. | This issue has been resolved. You can now create a user on the target system, assign the minimum required permissions to the user, and then use it for connector operations. |
| 6312344 | The default value of the Organization DN field on the Administrative and User Console was cn=user. | The Organization DN field has been changed to a lookup field, and the default value has been removed. You can now select a value in this lookup field. |
| 6804852 | The Manager ID field was not available for reconciliation and provisioning. | The Manager ID field has been added to the list of fields that are available for reconciliation and provisioning. |
| 7233799 | At the end of a successful provisioning operation, the "Mapping Not Found" message was recorded in the log file. This message has now been removed. | This issue has been resolved. The "Mapping Not Found" message is no longer recorded in the log file at the end of a successful provisioning operation.
The following are some of the entries in the AttrName.Prov.Map.OID lookup definition. You must ensure that these entries are not changed. ldapUserID: cn ldapFirstName: givenName ldapLastName: sn ldapPassword: userPassword |
| 6987536 | The Start Date and End Date fields of the target system were not used by the connector. | This issue has been resolved. The Start Date and End Date fields have been added for reconciliation and provisioning operations. |
| 7022721 | The process form had two fields for two object classes. This imposed a limitation on the number of objectclasses to which a user could be assigned during a Create User provisioning operation. | This issue has been resolved. The Objectclassess field replaces the two fields on the process form. You can enter a list of objectclasses in this field during a provisioning operation. Use the vertical bar (|) as the delimiter character in the list of objectclasses. |
| 7047363 | You could not add to the default attribute mappings for reconciliation. | This issue has been resolved. You can now use the AttrName.Recon.Map.OID lookup definition to add attributes for reconciliation. See "Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation" in the connector guide for more information. |
| 6490731 | The length of the Password field was 14 bytes. | The length of the Password field has been increased to 30 bytes. |
| 7434067 | A reconciliation error was encountered if you applied a custom reconciliation query that filtered user records by both role assignment and group membership. For example, application of the following reconciliation query would result in an error:
role=role1&group=group1 |
This issue has been resolved. Any combination of the following attributes can be used in the query:
Limitation: The custom reconciliation query must not include field values that contain any of the following characters:
In addition, the field values must not contain the word "group" or "role." The following are examples of query conditions that are invalid: givenname="mary&brown" This value is invalid because it contains the ampersand (&). givenname="johngroup" This value is invalid because it contains the word group. |
| 7360833 | The name of the IT resource type for all LDAP-based connectors was LDAP Server. | This issue has been resolved. The IT resource type for the Oracle Internet Directory connector has been renamed to "OID IT Resource." |
| 7308328 | A space after a comma in the DN value would cause a reconciliation error. | This issue has been resolved. DN values that have a space after the comma are now correctly reconciled.
You implement this solution by copying the JAR files as part of the deployment procedure. |
| 7218933 | The "INSUFFICIENT_INFORMATION_PROVIDED" message was displayed if any process form field was left empty during a provisioning operation. The field itself was not pointed out by the message. | This issue has been resolved. The name of the field in which a value has not been provided is included in the message displayed on the console. |
| 7120339 | The INSUFFICIENT_INFORMATION_PROVIDED error message was not mapped in the resource bundle. | This issue has been resolved. The error message is now mapped in the resource bundle. |
| 7165810 | When you changed the name of an organizational unit through a provisioning operation, the existing OU was deleted and then re-created with the new name that you specified. | This issue has been resolved. The name of the OU is actually changed when you perform the Change OU Name provisioning operation. The OU is not deleted and re-created with the new name.
You implement this solution by copying the JAR files as part of the deployment procedure. |
| 6275476 | On the target system, DNs of groups are not case-sensitive. In Oracle Identity Manager, group DNs are case-sensitive. This caused problems during reconciliation of group membership details. |
|
| 7423099 | Special characters were not supported in the First Name and Last Name fields on the process form. | This issue has been resolved. See "Provisioning Module" in the connector guide for information about the special characters that are supported in process form fields.
You implement this solution by copying the JAR files as part of the deployment procedure. |
| 6489877 | The connector supported neither Mode 1 nor Mode 2 secure connections to Oracle Internet Directory. | The connector supports Mode 1 secure connections to Oracle Internet Directory.
See "Configuring SSL" in the connector guide for detailed information. |
| 7564599 | During a Create Group provisioning operation, it was mandatory to specify a parent OU for the group. | This issue has been resolved. If a parent OU is not specified, then the group is created under the DN context. |
| 7601582 | The User Deletion Successful message was displayed when the Delete User provisioning operation was performed on a user who had already been deleted on the target system. | The message has been corrected. |
| 7301659 | The orclguid field of the target system stores identifier for each LDAP entry in Oracle Internet Directory. The connector did not fetch and store the orclguid of target system users. | This issue has been resolved. The connector now retrieves and stores the orclguid field of target system users. |
The following are the software updates in release 9.0.4.6:
From this release onward, the connector supports the reconciliation and provisioning of multivalued attributes. See "Adding New Multivalued Attributes for Target Resource Reconciliation" for the procedure to add new multivalued attributes for reconciliation and provisioning.
From this release onward, the connector adds support for Oracle Internet Directory 11gR1 as the target system.
This target system is mentioned in the "Verifying Deployment Requirements" section of the connector guide.
The following are software updates in release 9.0.4.7:
From this release onward, the connector performs reconciliation and provisioning operations based on the orclGUID field. The orclGUID field is a unique, read-only field that is created after a Create User provisioning operation.
From this release onward, the connector supports reconciliation of groups and roles. The OID Group Recon Task and OID Role Recon Task scheduled tasks are used to automate reconciliation of groups and roles, respectively.
See the following sections for more information:
In the earlier release, you used a:
Single scheduled task (OID Lookup Reconciliation Task) for reconciliation of lookup values for groups, roles, and organizations
Single scheduled task (OID User Recon) for running trusted source and target resource reconciliation
Single scheduled task (OID User Recon delete) for reconciliation of deleted users in trusted source and target resource modes
From this release onward, the connector has independent scheduled tasks created for all types of user, groups, roles, and lookup reconciliation.
See the following sections for more information:
The high-availability feature for IT Resource is now supported by the connector. This feature enables the connector to perform operations using the backup servers if the primary LDAP server fails or becomes unavailable.
See the "Configuring High Availability of the Target System" section for more information.
By default, the attributes listed in the "Group Provisioning" section are mapped for provisioning of groups between Oracle Identity Manager and the target system. Similarly, by default, the attributes listed in the "Role Provisioning" section are mapped for provisioning of roles between Oracle Identity Manager and the target system. From this release onward, you can map additional attributes for provisioning groups or roles.
See the "Adding New Attributes for Provisioning Groups or Roles" section for more information.
By default, no multivalued attributes are mapped for provisioning between Oracle Identity Manager and the target system for groups and roles. From this release onward, the connector enables you to add new multivalued attributes for reconciliation and provisioning of groups or roles.
See the "Adding New Multivalued Attributes for Provisioning" section for more information.
By default, the attributes listed in the "Group Reconciliation" and "Role Reconciliation" sections are mapped for group or role reconciliation between Oracle Identity Manager and the target system. From this release onward, you can add new attributes for group or role reconciliation.
See the "Adding New Attributes for Reconciliation of Groups or Roles" section for more information.
By default, no multivalued attributes are mapped for reconciliation between Oracle Identity Manager and the target system for groups and roles. If required, you can add new multivalued attributes for reconciliation of groups or roles.
See the "Adding New Multivalued Attributes for Target Resource Reconciliation" section for more information.
The Lookup.OID.Constants lookup definition stores constants defined in the Java classes that constitute the connector.
Caution:
You must not change any entry in the
Lookup.OID.Constants lookup definition. If you change any entry, then the connector will not function correctlyThis information has been mentioned in the "Setting Up Lookup Definitions in Oracle Identity Manager" section.
For every operation that is performed, the connector compares the user attributes in the target system with the corresponding attributes in Oracle Identity Manager. If the values of the user attributes in the target system do not match with the corresponding attributes in Oracle Identity Manager, then an event record is created. Otherwise, no event record is created.
From this release onwards, you can specify a subset of the records that must be reconciled from the target system. The SearchBase and SearchFilter attributes have been added to all scheduled tasks for reconciliation of users, groups, and roles.
See the following sections for more information:
The following table lists issues resolved in release 9.0.4.7:
| Bug Number | Issue | Resolution |
|---|---|---|
| 6694619 | The connector did not provide an option to update the Common Name and User ID process form fields. |
This issue has been resolved. In order to enable modifications to the Common Name and User ID process form fields, the Common Name Updated and User ID Updated operations have been added to the connector. |
| 7581912 | The Group Name Updated, Role Name, Updated, or Change OU Name provisioning operations were successful when performed for the first time. From the second time onward, these provisioning operations failed. | This issue has been resolved. You can successfully perform the Group Name Updated, Role Name, Updated, or Change OU Name provisioning operations any number of times. |
| 7605087 | During trusted source reconciliation, if there was a mismatch in the case (uppercase/lowercase) between a user's OU in Oracle Identity Manager and the user's OU on the target system, then the OU field was not populated. This was because the target system was case-sensitive and Oracle Identity Manager was not case-sensitive toward OU names. OU names were converted to lowercase when they were brought to Oracle Identity Manager through reconciliation.
As a workaround to this problem, it was recommended that you set lowercase names for OUs that you created. |
This issue has been resolved. The OU field is now being populated. |
| 7615302 | Provisioning and reconciliation of manager data for a user was not supported. | This issue has been resolved. You can now provision and reconcile manager data for a user. The Manager field has been added to the list of fields that are available for provisioning and reconciliation. |
| 8258219 | An error was encountered when you updated a process form field whose name contained the "Date" string.
For example, if the name of the process form field was |
This issue has been resolved. No error is encountered when you update a process form field whose name contained the "Date" string. |
| 8346748 | By default, during a Create User provisioning operation, the user ID that you specify was mapped to the cn field of target system.
If you had customized the mapping so that the user ID (that you specify in Oracle Identity Manager) was assigned to the |
This issue has been resolved. When you create a user account on the target system through Oracle Identity Manager, the value of the uid field of the target system is the user ID that you specify in Oracle Identity Manager. |
| 8597107 | The Organization DN field on the process form was neither mapped to the Organization Unit attribute, nor Organization attribute of the target system. |
This issue has been resolved. The Organization DN field on the process form has been renamed to Container DN. The Container DN field holds the value of the container in which the user exists. The Container DN value is a part of the DN value.
For example, if the DN value of a target system user is |
| 8620552 | Target system user fields were not updated when they were updated along with the Organization Name field. | This issue has been resolved. All fields that are updated along with the Organization Name field are now being updated successfully. |
| 8810993 | A user reconciliation run failed if the lookup definition contained the same decode value for different code key values. | This issue has been resolved. You can now successfully run user reconciliation if the look up definition contained the same decode value for different code key values. |
The following sections discuss documentation-specific updates:
The following documentation-specific update has been made in releases 9.0.4.1 through 9.0.4.5:
New points have been added in the "Known Issues" chapter.
The following documentation-specific updates have been made in release 9.0.4.6:
In the "Configuring the Connector" chapter:
The "Configuring the Connector for Multiple Installations of the Target System" section has been removed. This feature is not supported by default.
The following sections have been added:
In the "Lookup Fields Reconciliation Scheduled Tasks" section:
The name of the reconciliation scheduled task has been changed from OID Group Lookup Reconciliation Task to OID Lookup Reconciliation Task.
The AttrType attribute has been added to the list of OID Lookup Reconciliation Task reconciliation scheduled task attributes.
The LookupCodeName attribute values for groups, roles, and organization and organization unit have been changed.
The "Customizing the xlconfig.xml File" section has been moved from the "Configuring the Oracle Identity Manager Server" section to a new location. The instructions described in the "Customizing the xlconfig.xml File" section are now performed before installing the connector.
In the "Setting Up Lookup Definitions in Oracle Identity Manager" section:
The name of the lookup definition has been changed from global.AttrName.Prov.Map.OID.Preferred-Language to Lookup.OID.PrefLang.
The global.AttrName.Prov.Map.OID.Location and global.AttrName.Prov.Map.OID.Time-Zone definitions have been removed as they have been converted into text fields.
In the "Deploying the Connector" chapter, the procedure to add custom object classes and custom attributes on the target system has been removed.
In the "Verifying Deployment Requirements" section, changes have been made in the "Target systems" row.
The following documentation-specific update has been made in release 9.0.4.7:
In the "User Reconciliation" and "Provisioning Module" section, new fields have been added to list of fields that are reconciled and provisioned.
In the "Supported Functionality" section, the names of some of the functions have been modified. In addition, new functions have been added.
In the "Verifying Deployment Requirements" section, changes have been made in the "Oracle Identity Manager" row.
In the "Configuring the IT Resource" section, new IT resource parameters have been added.
The content in the "Setting Up Lookup Definitions in Oracle Identity Manager" section has been modified.
The "Stopping Reconciliation" section has been added, which contains information about stopping a scheduled task has been added.
In the "Configuring Trusted Source Reconciliation" section, the names of the scheduled tasks used for trusted source reconciliation and trusted delete user reconciliation have been modified.
The name of a lookup definition in the "Adding the Object Class and its Attributes to the Lookup Definition for Provisioning" section has been changed.
From the "Configuring the Connector" chapter, the "Adding the Object Class and its Attributes to the Lookup Definition for Reconciliation" section has been removed.
The content in the "Configuring the Mapping of the User ID Field" section has been modified.
From the "Testing and Troubleshooting" chapter, the "Testing Partial Reconciliation" section has been removed.
In the "Known Issues" chapter:
The following issue has been removed:
Bug 7605087
During trusted source reconciliation, if there is a mismatch in the case (uppercase/lowercase) between a user's OU in Oracle Identity Manager and the user's OU on the target system, then the OU field is not populated. This is because the target system is case-sensitive and Oracle Identity Manager is not case-sensitive toward OU names. OU names are converted to lowercase when they are brought to Oracle Identity Manager through reconciliation.
As a workaround to this problem, it is recommended that you set lowercase names for OUs that you create.
Issues tracked by bug numbers 8283518, 8294433, 8874848, and 8880450 have been added.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|