Release Notes
IBM® Tivoli® Identity Manager
Active Directory 64-Bit (WinAD64) Adapter
Version 5.1.30
First Edition (February 19, 2015)
This edition applies to version 5.1 of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright
International Business Machines Corporation 2003, 2016, 2017. All rights
reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Installation and Configuration Notes
Corrections to Installation Guide
Exchange 2007 and Exchange 2003 in Co-Existence Mode
Running in Federal Information Processing Standards (FIPS) compliance mode
Directory NTFS and Share Access
Setting Language Preference for Accounts
Use new Win2003 ADSI API for managing WTS attributes
Support for LastLogonTimeStamp Attribute
Solving Replication Delay while Adding Mailbox on Exchange 2007
Enable/Disable “UseThreadPooling”
Updating the Windows Active Directory Adapter
MR110509300 - MR0908095421 - AD agent Exchange server 2010 support
MR0210102732 - OCS support for AD adapter.
MR0302105547 - Use erADLastLogonTimeStamp for AD dormant account report
User Exchange attributes, erADESMTPEmail and erADEX400Email.
IZ72897- PROBLEM TRYING TO SET AN ADDITIONAL E-MAILTYPE MRS
MR031010518 - WinAD: Need Disable Mailbox support for Exchange 2007
Known configuration issue with Exchange 2010: "No provisioning provider installed"
Adapter Version 5.1.6 Features
MR0204103013 - AD adapter support for DNWithBinary.
Adapter Version 5.1.7 Features
Adapter Version 5.1.16 Features
Added support for Lync 2010/2013
MR0204103013 - AD adapter support for DNWithBinary.
MR090210587 - Support for Exchange Unified Messaging management
Chapter 3. Active Directory Adapter user account management tasks-> Suspending user accounts
Chapter 3. Active Directory Adapter user account management tasks-> Deleting user accounts
Section "Specifying controls for a user account" of the User Guide.
Chapter 6 - Configuring the adapter for IBM Security Identity Manager
Table 20. Attributes, descriptions, and corresponding data types
Customizing or Extending Adapter Features
Support for Customized Adapters
Log Output From Exchange and Lync powershell calls
Welcome to the IBM Tivoli Identity Manager Active Directory 64-bit (WinAD64) Adapter.
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory, Exchange and Lync servers. The adapter runs in "agentless" mode and communicates using Microsoft ADSI API and Remote PowerShell to the systems being managed.
IBM recommends the installation of this adapter in "agentless" mode on a 64-bit OS and computer in the domain being managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the Identity Manager Information Center for a discussion of these topics.
The Identity Manager adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
The ability to manage service groups is a new feature introduced in TIM 5.1. By service groups, TIM is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
Create service groups on the managed resource.
Modify attribute of a service group.
Delete a service group.
Note that service group name change is not supported in TIM 5.1 release.
The Windows Active Directory x64 adapter supports service groups management.
|
Component |
Version |
|
Release Date |
2017 March 06 17.44.11 |
|
Adapter Version |
5.1.30 |
|
Component Versions |
Adapter Build 5.1.30 Profile 5.1.30 ADK 6.0.1029 x64 |
|
Documentation |
Active Directory Adapter with 64-bit Support Installation and Configuration Guide SC23-9620-00 Active Directory Adapter with 64-bit Support User Guide Password Synchronization for Active Directory Plug-in
Installation and Configuration Guide |
|
Enhancement # (FITS) |
Description |
|
|
Items included in current release (5.1.30) |
|
internal |
This release includes ADK 6.0.1029 which update openssl to 1.0.2f to address a vulnerability to excessive CPU utilization
|
|
|
|
Items included in current release (5.1.28) |
|
42641 |
Adapter Support for Exchange 2016 and Lync 2015
|
|
|
42071 |
Second and following Mailbox Move Requests Fail on Exchange 2013
|
|
|
43225 |
Reduce IO in WinAD Adapter for PW change
|
|
|
|
Items included in current 5.1.25 |
|
30303 |
ISIM AD adapter unable to set Mail box Retention policy check
|
|
internal |
Now using ADK 6.0.1027 which provides an option disabling sslv3. There is also support for setting the list of ciphers used.
|
|
internal
|
The Domain Admin and Domain Password fields have been removed from the service form in the profile. They can still be used, but the preferred method is to set the logon account on the adapter windows service.
|
|
|
Items included in 5.1.24 release |
|
|
The Password Synchronization plug-in is now released as a separate package. It is no longer bundled in with the AD Adapter
|
|
|
Includes updated ADK 6.0.1020 which includes update to prevent password values from being written to the log on password change failures.
|
|
|
Items included in 5.1.23 release |
|
|
Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL.
|
|
|
Items included in 5.1.22 release |
|
|
Added support to allow specifying a list of preferred Exchange and Lync servers. The adapter will attempt to connect to one of the preferred servers first before searching AD for all servers. An additional attribute is also provided to force the adapter to only use the preferred servers.
|
|
|
Items included in 5.1.21 release |
|
|
This release requires an updated C++ runtime. You MUST do a FULL install for this release. An update install does not install the C++ runtime.
|
|
|
Includes updated ADK 5.28 which includes an update to version 1.0.1e-fips of openSSL. This openSSL was built with the OPENSSL_NO_HEARTBEATS option and does not contain the Heartbleed vulnerability.
|
|
|
Items included in 5.1.18 release |
|
|
Added support for disabling slow Lync attributes on recon using registry value "LyncDisableSearch"
|
|
|
Items included in 5.1.17 release |
|
|
Added support for Lync 2013 "Added support for Lync 2010/2013"
|
|
|
Items included in 5.1.16 release |
|
17036, 17099, 25906, 27911, 31577 |
Added support for Lync 2010
See Lync Server Configuration notes under "Added support for Lync 2010/2013" |
|
|
Items included in 5.1.15 release |
|
30820, 27083, 33740 |
Added support for Windows Server 2012
|
|
34372 |
Added support for Exchange 2013
|
|
|
Items included in 5.1.12 release |
|
27906 |
Added support for MAPIBlockOutlookRpcHttp
|
|
15453 |
Added support for msExchOWAPolicy
|
|
29346, 28979, 26825, 22462 |
Added support for deleting account objects that have child nodes in AD |
|
30515 |
Added support for managedBy attribute for managed group objects
|
|
19447 |
Added support for POP3 and IMAP4 protocol settings
|
|
NA |
Exchange interface updated to use remote powershell session with Exchange 2010 Server. No longer requires local installation of Exchange 2010 Management tools.
|
|
|
Items included in 5.1.11 release |
|
|
None
|
|
|
Items included in 5.1.10 release |
|
NA |
Enhancements to adapter based event notification. New registry setting "MarkLogOnly" to allow the adapter to mark the highest security log entry the first time a new domain controller is scanned. By default the adapter will read the entire log which can take unreasonably long if there is a large number of domain controllers. |
|
|
Items included in 5.1.9 release |
|
NA |
Enhancements to adapter based event notification. Now searches global catalog for domain controllers when scanning event logs for group membership changes. The actual group membership change event is sent instead of returning the full list of groups for the user account. Supports all configured EN contexts with one pass of event log scanning per cycle instead of scanning the event logs for each EN context. |
|
MR0721117156 |
Allow support for Octet String data type in extended attributes. The adapter now supports Octet String as an extended attribute type. It is assumed to be passed as a string value. |
|
MR0629114418 |
Unable to provision WinAD Extended attributes without MS Exchange Management Tools installed locally. The adapter now treats the extended exchange attributes as account attriubutes since they are set via LDAP calls anyway and do not require an exchange client. |
|
|
Items included in 5.1.8 release |
|
|
None |
|
|
Items included in 5.1.7 release |
|
MR090210587 |
Support for Exchange Unified Messaging management on Active Directory accounts with ITIM Windows Active Directory Adapter.
See additional information in the "Configuration Notes" section.
|
|
MR081710242 |
Optionally require a MailBoxStore and use Exchange 2010 default feature if Store is not present.
See additional information in the "Configuration Notes" section.
|
|
|
Items included in 5.1.6 release |
|
MR0204103013 |
AD adapter extended schema support for data type DNWithBinary.
See additional information in the “Configuration Notes" section.
|
|
|
Items included in 5.1.5 release |
|
MR0302105547 |
Use erADLastLogonTimeStamp for AD dormant account report.
|
|
MR0210102732 |
OCS support for AD adapter.
|
|
MR0205101253 |
Windows 2008 R2 Core support for AD password sync plug-in and Adapter.
|
|
MR110509300 |
AD agent Exchange server 2010 support
|
|
MR0908095421 |
AD agent Exchange server 2010 support
|
|
MR031010518 |
WinAD: Need Disable Mailbox support for Exchange 2007
|
|
MR0226101912 |
WinAD: Need a way to configure the length of the wait period for the retries of Win AD 64-bit Adapter for reconciliation
|
|
N/A |
Mail-Enable AD Groups.
|
|
|
Items included in 5.1.4 release |
|
N/A |
Added support for Windows 2008 R2.
|
|
Enhancement # (FITS) |
Description |
|
|
Items included in 5.1.3 release |
|
MR0501091927 |
Adapter error message changed for clarity. Incorrect error message during an AD account modification
|
|
MR0218091930 |
Enhance the adapter to unlock WinAD account without a password reset (pw change)
|
|
MR1010083842 |
Enhancement to support Managed Folder Mailbox Policy in WinAD 64bit Adapter |
|
MR0421092235 |
WinAD: Client needs support for msExchMailboxTemplateLink MS Exchange attribute. |
|
MR052609514 |
Customer wants to use the extend attribute transformed the name on itim side using the AD 5.0.5 adapter on ITIM 4.6 Server. |
|
MR0928094723 |
Delay in Exchange cmdlets for mailbox permission
|
|
|
Items included in 5.1.2 release |
|
|
None
|
|
|
Items included in 5.1.1 release |
|
|
Initial release for TIM v5.1
|
|
INTERNAL# |
APAR# |
PMR# / Description |
||
|
|
|
Items closed in 5.1.30 version |
||
|
|
IV85621 |
WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC MODULE |
||
|
|
|
Items closed in 5.1.29 version |
||
|
|
IV84875 reopened |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
||
|
|
|
Items closed in 5.1.28 version |
||
|
|
IV84875 |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
||
|
75802,227,000 |
|
Issue with erADGrpWriteMembers attribute value on reconcile returning both true and false.
|
||
|
04723,001,862 |
|
WinAD Adapter Release Notes Wrong+Missing Information
|
||
|
|
|
Items closed in 5.1.27 version |
||
|
|
IV82951
|
SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER UPGRADE TO WINAD64 6.0.18 |
||
|
|
|
Items closed in 5.1.26 version |
||
|
Internal |
|
Updated profile to include new attributes returned on recon that caused the recon to fail
|
||
|
|
|
Items closed in 5.1.25 version |
||
|
|
IV73908 |
Event Notification no more working if USN-Changed attribute exceeds 7 digits |
||
|
|
|
Items closed in 5.1.24 version |
||
|
13541,035,724
|
|
WTS ATTRIBUTES AND RECON ERROR 1317.
|
||
|
|
IV65653
|
WINAD ADAPTER REPORTS SUCCESS IN CASE OF AD GROUP INTERFACE PROBLEMS DURING RECONCILIATION.
|
||
|
|
IV67715
|
ERADLYNCTELEPHONY AND ERADLYNCLINEURI FAIL ON MODIFY TO LYNC
|
||
|
|
|
Items closed in 5.1.23 version |
||
|
|
IV61397 |
THREAD LOGGING OPTION NOT SHOWING IN AD ADAPTER AGENTCFG PROGRAM
|
||
|
|
IV62916 |
AD ADAPTER RECON FAILS WHEN AD CANNOT PROVIDE INFORMATION ABOUT AN ATTRIBUTE'S SCHEMA CHARACTERISTICS
|
||
|
|
IV63714 |
WINAD ADAPTER CRASH IF ERADLYNCTELEPHONY IS NULL
|
||
|
|
|
Items closed in 5.1.22 version |
||
|
|
IV61264 |
ADD REQUESTS FAIL TO CREATE MAILBOXES ON EXCHANGE 2013 when EXCHANGE 2010 are present
|
||
|
|
IV54076 |
ADAPTER 6.0.7 EVENT NOTIFICATION DOESN'T SEND UPDATES ON DELETE
|
||
|
44201,124,672 |
|
Lync updates fail to set attributes, bu adapter returns "success"
|
||
|
40800,124,672 |
|
Disable the AD account, and is it expected to see the exchange 2010 account suspended as well?
|
||
|
|
|
Items closed in 5.1.21 version |
||
|
|
IV55003 |
Only first value of extended multi-valued attribute provisioned
|
||
|
|
IV54742 |
Failure when removing value from erAdAllowedaddresslist attribute
|
||
|
|
IV53979 |
Win AD adapter log rotation is not working properly
|
||
|
|
IV53709 |
Account modify problem with the execution policy machine policy set to remote signed,
|
||
|
|
IV53423 |
Windows active directory adapter can crash during test connection
|
||
|
|
IV45107 |
AD recon fails with large photo attribute
|
||
|
|
IV55742 |
ReconDiscconectedMailbox setting breaking reconcile
|
||
|
|
IV54738 |
THE FUNCTIONALITY OF THE FORCE PASSWORD CHANGE ATTRIBUTE IS DOCUMENTED INCORRECTLY |
||
|
|
|
Items closed in 5.1.18 version |
||
|
|
IV53185, IV52869 IV52916 |
Unable to set extended string attribute
|
||
|
|
IV53212 |
.V2 profile folder not deleted on deprovision |
||
|
|
IV53225 |
AD add with Lync account fails with user not found |
||
|
|
|
Items closed in 5.1.17 version |
||
|
|
IV49178 |
Unable to update Accept Mail From attribute. |
||
|
42506,227,000 |
|
Random failure with eradnochangepassword attribute during add/create account request |
||
|
|
|
Items closed in 5.1.16 version |
||
|
|
IV46279 IV45884 |
User delete request reporting error "Unable to parse user DN" even though delete was successful
|
||
|
|
IV43794 |
On AD adapter Add operation secondary SMTP is ignored |
||
|
|
IV44614 |
WinAD adapter has missing RPS documentation |
||
|
|
|
Items closed in 5.1.14 version |
||
|
|
IV43500 |
Proxy address handling updating to correctly support replacing primary smtp adress
|
||
|
|
IV39511 |
Restructured code to reorder DACLs when updating security descriptor to set erADNoChangePwd
|
||
|
|
IV36704 |
erADEActiveSyncEnabled value was not correct when returned during recon. It is now correctly set.
|
||
|
|
IV31681 |
Additional enhancements to the handling of proxy addresses to properly handle setting primary smtp addresses
|
||
|
|
|
Items closed in 5.1.13 version |
||
|
|
IV31681 |
Restructured handling of proxy address so the processing order is fixed – delete, add, replace. With the exception that a new primary SMTP address must be added if the existing one is being deleted in the delete request.
|
||
|
|
|
Items closed in 5.1.12 version |
||
|
|
IV31747 |
Fixed error handling when Exchange Interface is not present while managing Exchange attributes. Previously returning success, when interface is not present.
|
||
|
|
IV30400 |
ADK 5.27 includes update to openSSL 0.9.8x which supports additional algorithms
|
||
|
|
IV25655 |
Fixed bug in lookup callback that returned success when binding to AD fails. |
||
|
|
|
Items closed in 5.1.11 version |
||
|
|
IV12041 |
Added support to use credentials specified in event notification contexts to connect to remote domain controllers when scanning for group membership changes. If opening the remote event log fails, the adapter now tries the credentials from each of the event notification contexts until it opens successfully.
|
||
|
|
IV22091 |
Disconnected mailboxes are now included in the supporting data recon.
|
||
|
|
IV23574 |
The implementation of the get mail status function in the Exch2k7.dll module was updated to allow specifying the target domain controller.
|
||
|
|
|
Items closed in 5.1.10 version |
||
|
|
IV21522 |
New registry setting to control the server name used for Exchange operations. Setting "UserLocalDCForExchange" to TRUE causes the adapter to lookup the name of the local domain controller and uses that for Exchange operations. If the value is FALSE or not present, the adapter uses the server name passed with the basepoint if present or null which lets Exchange decide which DC to use.
|
||
|
|
|
Fixed problem with buffer overflow when supplying a fully qualified domain name in the erADBasepoint. The buffers to store the RAS and WTS server names were declared expecting the short name (MAX_COMPUTERNAME_LENGTH). The buffers have been made larger to accommodate a fully qualified domain name.
|
||
|
|
|
Fixed problem with the adapter upgrade tool
|
||
|
|
|
Items closed in 5.1.9 version |
||
|
|
IV11173 |
False warnings generated during adagent home directory processing.
The adapter was marking attributes as failed when unable to access the home directory share even though they were not included in the adatper resulting in warning. Error is now only set if the attribute existed in the request |
||
|
|
IV13282 |
Unable to provision account when country code is Serbia.
The country code list was updated to the most recent publilshed list. The account form and customlables files in the profile were also updated to add the new countries to the list. |
||
|
|
|
Items closed in 5.1.8 version |
||
|
|
IZ98592 |
10738,999,616 Multiple values returned for erADEAllowPermTo1Level during recon.
FIX: The adapter will now only returns the first Access Control Entry (ACE) for "SELF". If multiple ACEs exist for SELF, the erADEAllowPermTo1Level is only returned for the first ACE.
|
|
|
|
|
IZ94371 |
77770,550,000 If the erPassword attribute value cannot be set, it will be displayed in clear text in the adapter log file.
FIX: The adapter has been modified so that any attribute whose name contains "pwd" or "pass" will now only show "*****" as the value in the unmodified attributes list.
|
|
|
|
|
IZ89492 |
85059,999,724 ADK adapter message :starting new SSL connection thread”
FIX: The text "SSL" has now been removed from this message. The IO library will clearly log the ssl handshake before this message is logged. It is not necessary to state that the connection is SSL or not.
|
|
|
|
|
IZ95555 |
66097,7TD,000 The erAdGroupDescription attribute length needs to be increased in the AD profile schema
FIX: The length of this attribute is now specified as 1024. If data exists in the LDAP directory that uses this erADGroupDescription, the field size is not updated when the profile is imported into Identity Manager
|
|
|
|
|
|
Items closed in 5.1.7 version |
|
|
|
|
IZ89623 |
11899,922,848 CO attribute does not get the correct value of the country name.
|
|
|
|
|
IZ91338 |
14724,344,000 Windows AD Adapter crashes when searching for supplicate UPNs.
|
|
|
|
|
|
Items closed in 5.1.6 version |
||
|
|
|
None
|
||
|
INTERNAL# |
APAR# |
PMR# / Description |
|
|
|
|
Items closed in 5.1.5 version |
|
|
|
IZ72897 |
PROBLEM TRYING TO SET AN ADDITIONAL E-MAILTYPE MRS.
|
|
|
|
IZ73004 |
INAD ADAPTER IS NOT SETTING FAILURE FOR RAS RELATED ATTRIBUTE.
|
|
|
|
IZ75218 |
ADAGENT CRASHES.
|
|
|
|
|
Items closed in 5.1.4 version |
|
|
|
IZ65637 |
39372,180,000 Custom “UTC Coded Time" attribute value not correctly returned from AD adapter during recon.
|
|
|
|
IZ67106 |
79658,442,000 Intermittent 0x80004002 error when attempting to manage/provision mailboxes.
|
|
|
|
IZ66086 |
07172,035,724 Reconciliation error with WinAD 64-bit adapter 5.0.8.
|
|
|
|
IZ 70467 |
24803,422,000 AD agent crashes when modify request includes changing erADIsAccountLocked to a space.
|
|
|
|
N/A |
81172,379,000 RUS and EAG errors during WinAD Adapter Add request.
Following changes are made in adapter logging. · Adapter will log "Domain Flat Name" in Adapter log file. · Adapter log messages are enhanced to provide more error message with the error code when searching for RAS Server Name.
|
|
|
|
IZ58983 |
94774,227,000 CERTTOOL.EXE UNABLE TO LIST CERTIFICATE VERISIGN CLASS 3 SECURE SERVER CA - G2. |
|
|
INTERNAL# |
APAR# |
PMR# / Description |
|
36607 |
|
N/A ADK incorrect return status for multivalued attr with spl chars.
|
|
N/A |
|
N/A Suppress the user interface shown during installation of run-time files from Microsoft for silent installation.
|
|
36818 |
|
N/A WinAD 5.1 doesn't return group containers objects in recon
|
|
36620 |
|
N/A 5.0 WinAD - Problem with WTS boolean attributes during recon
|
|
|
|
Items closed in 5.1.3 version |
|
|
IZ52909 |
39888,227,000 Performing filtered recon with TIM v4.6 server return container objects causing recon error in TIM log.
|
|
|
IZ54007 |
06743,6X1,760 Adapter fails to add Group when the name contains special characters like “)".
|
|
|
IZ52976 |
06524,6X1,760 WinAD Group Membership modification fails if group contains a “#" and adapter is set to use CN for group membership link.
|
|
|
IZ51132 |
19725,379,000 Group name containing a forward slash character cannot be properly parsed.
|
|
|
IZ45782 |
92561,077,724 Check boxes in the form for Exchange cause errors in agent log.
|
|
|
N/A |
PMR 29147,227,000 AD Adapter crash on disabled user moving to different OU.
|
|
|
IZ47221
|
83137,379,000 WinAD 64-bit adapter not handling multi-line attribute values.
|
|
|
N/A
|
33834,999,760 WinADAdapter failed to load exschema.txt at system bootup.
|
|
|
IZ60509 |
36047,660,706 CHANGES TO WTS HOME DIR AND DRIVE LETTER NOT COMMITTED TO AD
|
|
|
IZ61122 |
24146,660,706 PATH TO EXCHANGE TOOLS IN AD ADAPTER SHOULD BE CONFIGURABLE |
|
INTERNAL# |
APAR# |
PMR# / Description |
|
|
IZ43288 |
66187,379,000 WinAD 64 bit adapter with Alert processing is not compatible with the CN attribute.
|
|
|
N/A |
PMR 34450,057,649 Active Directory ADSI search calls hang.
|
|
|
IZ47418 |
10132,922,848 WinAD Adapter crashes randomly.
|
|
|
IZ49418 |
83618,550,000 32-bit AD event notification unexpected results in “run event notification new"
|
|
|
N/A |
WinAD Internal defects repaired: CMVC #36317 - WinAD Adapter fails to find group when name contains ( ) * \ CMVC #36208 - WinAD returns incorrect container when CN contains '=' CMVC #36159 - WinAD: delete user request must fail if base point bind fails CMVC #36240 - WinAD terminates when an error occurs in reconciliation CMVC #36212 - WinAD Adapter fails to find user when eruid contains ( or ) CMVC #36238 - WinAD Adapter returns incorrect error for duplicate UPN
|
|
|
|
Items closed in 5.1.2 version |
|
|
N/A |
N/A Corrections to the release notes.
|
|
|
|
Items closed in 5.1.1 version |
|
|
|
None
|
|
INTERNAL# |
APAR# |
PMR# / Description |
|
N/A |
N/A |
Support for Exchange and Lync is provided using remote powershell connections to the Exchange or Lync server. There is a fixed limit of 5 concurrent connections to a remote powershell. Setting the thread count to higher than the default of 3 could result in some Exchange or Lync attributes failing to be set under heavy loads.
|
|
N/A |
N/A |
Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer available for Exchange 2007.
|
|
N/A |
N/A |
Service form fields:
See item 9 “Chapter 4. Adapter installation" section under “Corrections to Installation Guide"
|
|
|
|
Cross domain management When you have the adapter installed on one of the workstations in Domain A to manage Active Directory in Domain B, then the adapter service must run under the administrator account of Domain B.
The adapter uses APIs which uses the permissions of the account under which the adapter service is running to perform an operation. When the user account under which the adapter service is running does not have required permission on the managed domain, the API used will not get the required permissions to perform the operation.
When the user account used to run the adapter does not have required permissions, the following attributes will fail. Home Directory related attributes - Home Directory - Home Directory Drive - Home Directory NTFS Access - Home Directory Share - Home Directory Share Access - WTS Home Directory - WTS Home Directory Drive - WTS Home Directory NTFS Access - WTS Home Directory Share - WTS Home Directory Share Access
RAS attributes - Dial-in - Callback Settings - Callback Number
WTS related attributes - Inherit Initial Program - WTS Callback Settings - WTS Callback Number - WTS Remote Home Directory
|
|
INTERNAL# |
APAR# |
PMR# / Description |
||||||
|
|
|
RAS attributes when Active Directory is in mixed-mode domain functional level
1) When Active Directory is in mixed-mode domain functional level the third dial-in option "Control access through Remote Access Policy" is not available on Active Directory. When Active Directory is configured for mixed-mode, the Active Directory Adapter will fail the request from IBM Tivoli Identity Manager to set dial-in option as "Control access through Remote Access Policy". However on the Active Directory the dial-in will be set to "Deny Access" (default).
Workarround: No workaround available.
2) Reconciliation of user account on mixed mode domain functional level shows incorrect value "Control access through Remote Access Policy" for Dial-in attribute when the account is created directly on Active Directory with default value for dail-in "Deny Access" and default values for callback settings "No Callback".
There are two cases when Active Directory does not create attribute msNPAllowDialin as shown in below table.
During search, Active Directory does not return the msNPAllowDialin attribute. The Active Directory Adapter cannot find the functional level of domain without connecting to RootDSE. Connecting to RootDSE does not work if you have installed adapter in domain other than one been managed. As a result the adapter sets erADExDialin attribute to value "NONE", which maps to "Control access through Remote Access Policy" on account form.
Work around: To retrieve correct value for dial-in attribute set the following for dail-in and callback option when you create a user account directly on Active Directory.
Attribute Value ---------------- ------------- Dialin Deny Access Callback Options Set by caller
|
|
INTERNAL# |
APAR# |
PMR# / Description |
||||||||||
|
N/A |
N/A |
Using the Upgrade Option Active Directory Adapter installer does not support update adapter option. The installer displays the update option when the setup is executed, but does not behaves as update rather it is as good as a fresh installation. Using update option will reinstall the adapter and overwrite the adapter configuration. It is recommended to check the adapter configuration after executing the setup in order to upgrade to newer version.
|
||||||||||
|
N/A |
N/A |
PMR 83403,057,649 - AD Agent hangs on second error
Work around implemented for Microsoft issue (KB article 293278).
For user and group management requests, the agent binds to the basepoint/default domain. Each operation is run in a separate thread which first initializes COM using CoInitialize and upon operation completion calls CoUninitialize to uninitialize COM. However for second request, the connection is reused and agent quickly establishes connection with AD. MS KB article 293278 (http://support.microsoft.com/default.aspx?scid=kb;en-us;293278) states that 'PRB: Problems When You Call CoInitialize and CoUninitialize Repeatedly in Multithreaded Apartment' -
To avoid the issue, a small delay (1.5 sec) has been inserted before COM is uninitialized at the end of an operation.
|
||||||||||
|
N/A
|
N/A
|
Below is list of TIM AD adapter attributes and corresponding attribute in Active Directory
The above listed attributes are not replicated on Active Directory, each Domain Controller holds its own copy of these attributes, likely with different values. The Windows Active Directory Adapter may not show the actual value for these attributes.
|
||||||||||
|
|
|
Leaving a space in the base point will cause problems The BasePoint (on Service form) and the Event Notification Context (in agentCfg) must be in proper DN format and should not contain any space between dc and ou\dc. For Example: If your basepoint value is <DC Name>/ou=TestOrg01,dc=TestLab, dc=com //Here we have space between "dc=TestLab," and "dc=com" Then you will have to specify correct baspoint value on service form in the following way: <DC Name>/ou=TestOrg01,dc=TestLab,dc=com
|
|
INTERNAL# |
APAR# |
PMR# / Description |
|
|
|
Special characters in the BasePoint attribute. The BasePoint that is specified on service form and for the Event Notification Context (in agentCfg) must be in proper DN format. Special characters like ‘#’ ‘+’ ‘=’ ‘\’ ‘;’ ‘"’ ‘,’ ‘<’ ‘>’in the base point value must be escaped with the escape character ‘\’. For Example: Example 1 If the basepoint to be specified is ADServer1/ou=#test<org>=01/END,dc=MyDomain,dc=com
The characters # < > = should be escaped using the \ character as ADServer1/ou=\#test\<org\>\=01/END,dc= MyDomain,dc=com
Example 2 If the base point to be specified is ou=Inner;most,ORG",ou=Outer+\ORG,dc=MyDomain,dc=com
The characters ; , “ + and \ should be escaped using the \ character as ou=Inner\;most\,ORG\",ou=Outer\+\\ORG,dc=MyDomain,dc=com
NOTE: Escaping of the ‘/’ character is internally handled by adapter and should not be explicitly escaped on service form. It is recommended that the use of special characters should be avoided to get the best performance on various operations performed by adapter.
|
|
|
|
Issue with adapter based filtering. Avoid use of cn attribute of the common schema in a filter with object class value as erADContainer. Although the filter is perfectly valid for Active Directory nor will IBM Tivoli Identity Manager gives any error while evaluating and submitting the filter to adapter. However after the adapter processes the filter and returns matching entries IBM Tivoli Identity Manager will give failure while processing the returned entries. This is because the CN attribute does not belong to erADContainer class on IBM Tivoli Identity Manager Schema for Active Directory profile.
For example, The following filter will result in FAILED for the reconciliation request on IBM Tivoli Identity Manager. (&(objectclass=erADContainer)(cn=MyContainer))
|
|
|
|
Known issue with Group Email attribute Setting of erADGroupDlEmail attribute of erADGroup class is not supported but it is reconciled
|
|
INTERNAL# |
APAR# |
PMR# / Description |
||||||||||||||||||||
|
|
|
Known issue with IBM Tivoli Identity Manager when the User ID (ERUID) attribute contains characters like ‘(‘ and ‘)’ This known issue applies to IBM Tivoli Identity Manger (ITIM) v5.1. When a user account’s samAccountName attribute on Active Directory contains characters like ‘(‘ and/or ‘)’ and a Full Reconciliation is performed. The Full Reconciliation will complete with a warning. Please note that the samAccountName attribute of a user account on Active Directory maps to the eruid attribute on ITIIM.
For example, If you have user accounts on Active directory with following samAccountName TestUser(_01 TestUser)_02 ( TestUser _04(
The Full Reconciliation will result in warning with following error message: CTGIMD014I 3 reconciliation entries were not processed for the following entries: eruid=TestUser(_01; eruid=TestUser)_02; eruid=( TestUser _04(.
Workaround: Avoid use of special characters like ‘(‘ or ‘)’ for the samAccountName attribute of user account on Active Directory.
|
||||||||||||||||||||
|
N/A |
N/A |
PMR 07331,035,724 - ITIM WinAD64 adapter - prob with WTS attrib When we perform the RECON operation, WinAD adapter returns 0x8000500d (ADS_PROPERTY_NOT_FOUND) error for all WTS attributes. This error is returned for those users which are directly created on Active Directory. This error will occur if you try to access attributes that aren't located in the so-called property cache. It could also be an operational attribute that isn't automatically built in the cache.
Windows Active Directory adapter log will display following errormessage for all WTS attributes: Error Message: "Failed with Error: 0x8000500d - (null)"
Microsoft has confirmed that this is a known issue in Windows Server 2008 and Windows Server 2008 R2 Machine. For more information on this issue, Please visit the following Microsoft MSDN Web site: http://support.microsoft.com/kb/947729
Workaround: Set any WTS attribute on Windows Server 2008 domain controller for those users which are giving the above error message. To set WTS attributes follow these steps: 1. Open Active Directory Users and Computers. 2. Find the user in the Users folder or in the Organizational Unit where the user is. 3. Right-click the user account, and then click Properties. 4. On the Environment tab or Terminal Services Profile tab, you will find the settings for WTS attributes value. 5. Doing a single modification on any one of these WTS attribute will resolve the issue.
OR Customer can also follow the steps provided in the Microsoft MSDN web site as a workaround OR Running a modify request with WTS attributes from ITIM WinAD Service will also resolve the issue.
|
||||||||||||||||||||
|
N/A |
N/A |
Issue with WTS attributes during reconciliation operation Windows AD adapter gives following errors when managing WTS attributes and adapter registry key “WtsDisableSearch" set to FALSE. Error occurs when reconciliation is performed.
Could not reconcile WTS attribute erADWTSCallbckNumber. Failed with error 1317: The specified user does not exist. Could not reconcile WTS attribute erADWTSInheritInitialProg. Failed with error 1317: The specified user does not exist. Could not reconcile WTS attribute erADWTSRemoteHomeDir. Failed with error 1317: The specified user does not exist. Could not reconcile WTS attribute erADWTSCallbckSettings. Failed with error 1317: The specified user does not exist.
Workaround: no workaround.
|
||||||||||||||||||||
|
|
|
Known Issues for Adapter based Event Notification
Issue: When you modify the ‘User logon name (pre-Windows 200)’ of a user account on Active Directory, Adapter based event notification results in the creation of two accounts on IBM Tivoli Identity Manager. One of the accounts is created using the old name and other account with modified name (Orphan account).
Workaround: As far as possible avoid renaming user accounts on the Active Directory directly. Perform user modifications only through Tivoli Identity Manager. However if you rename a user account on Active Directory, perform full reconciliation to avoid creation of duplicate user accounts on Tivoli Identity Manager.
Issue: When you configure Active Directory for not caching the deleted objects in the deleted objects container, then the adapter cannot track the deletion of an object (user/group/organizational unit) on the Active Directory. As a result IBM Tivoli Identity Manager will not be updated for the deleted objects.
Workaround: no workaround.
Issue: When you remove an organization unit (container) on Active Directory which contains user accounts, then all the user accounts in the organization unit are removed from Active Directory. The user accounts which are removed as a result of deletion of the organization unit are not traced by the adapter based event notification. The information of such user accounts will not get updated on IBM Tivoli Identity Manager.
Workaround: Before you remove a container on the Active Directory, remove all the user accounts from this container and from the sub-containers. This way the adapter based event notification will be able to trace user account deletions.
Issue: An event notification context maintains each object (user, group, container, and mailstore) by generating a key in a local database. The maximum key length of the database is characters. When you have containers, groups, and mailstores in Active Directory with name containing more than 64 characters, the adapter based event notification may function incorrectly. The event notification might add duplicate entries in database or read incorrect entry from the database. This may result in incorrect update to objects in IBM Tivoli Identity Manager.
Workaround: When you create a container, group, or mailstore on Active Directory select a name such that the first 50 characters don’t match with the first 50 characters in the name of other objects.
Issue: Before removing a group from Active Directory, remove all the members from the group. When you do so all the member objects are updated properly on IBM Tivoli Identity Manager.
Workaround: Before deleting a group on the resource, empty it’s ‘Members’, i.e. remove the objects which are members of this group. This will ensure that the dependant Account’s gets properly updated in IBM Tivoli Identity Manager (ITIM) server
Issue: When the log information in the event viewer log file is cleared, then during the next event notification operation you may get the following error in Adapter log file.
'Unable to read the last highest record from the log. Error code: 0x00000057 - The parameter is incorrect'.
Workaround: No action to be taken. The next adapter based event notification will succeed to read the event log properly.
Issue: When a user account is moved from a container which is either the base point or a sub-container of the base point to a container which is not in the base point, then after running event notification this user account will not get updated on IBM Tivoli Identity Manager. Ideally this user no longer belong to the corresponding service on IBM Tivoli Identity Manager, as it is moved to a container which is not in the base point of this service.
Workaround: When you move a user account on Active Directory to a container which is not under the base point, perform a full reconciliation to update the user accounts on IBM Tivoli Identity Manager.
|
||||||||||||||||||||
|
|
|
Class 3 Certificate Installation
Class 3 Certificates (class 3 secure server CA-G2) are not written properly to "DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written twice between BEGIN CERTIFICATE and END CERTIFICATE.
Work around: To correct this issue, please follow the below steps and edit "DamlCACerts.pem" file present in "<Adapter installation path>\data" folder.
Step 1. Start the CertTool utility Step 2. Import the class 3 CA certificate by using "F" option from the main menu of CertTool Utility. Step 3. Once the class 3 CA certificate is successfully installed, open "DamlCACerts.pem" file stored in the "<Adapter installed path>\data" folder using text editor. Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN CERTIFICATE and END CERTIFICATE) from "DamlCACerts.pem". Step 5. Open class 3 CA certificate file using text editor and copy the certificate data (between the BEGIN CERTIFICATE and END CERTIFICATE) Step 6. Paste the certificate data to "DamlCACerts.pem" file between the BEGIN CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If more than one class 3 certificates are installed then you can identify the certificate using issuer and subject data. Step 7. Save "DamlCACerts.pem" file. Step 8. To verify the "DamlCACerts.pem" file is edited properly, display certificate information by using option "E" from the main menu of CertTool Utility.
Note: Please note that this issue is seen after installing class 3 CA certificate. If you correct the DamlCACerts.pem and then install another class 3 CA certificate, the newly installed class 3 CA certificate will show same issue. This issue is also seen when you delete any certificate using option "G" from the main menu of CertTool utility. The delete option will affect all remaining class 3 CA certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.
|
||||||||||||||||||||
|
|
|
NetBIOS name must not be greater than 15 characters:
The NetBIOS name is 16 ASCII characters, however Microsoft limits the NetBIOS name to 15 characters and reserves the 16th character as a NetBIOS Suffix. The Windows Active Directory adapter does utilize a NetBIOS based lookup for finding the RAS Server and WTS Server. Adapter is limited by the Windows restriction of having a 15 character maximum value for a NetBIOS computer name\NetBIOS domain name. If the NetBIOS domain name or NETBIOS computer name is more then 15 characters then Windows Active directory adapter will display following error message for RAS Server lookup.
ERROR_INVALID_DOMAINNAME 1212 "The format of the specified domain name is invalid."
Please refer the Microsoft link related to Naming conventions where it specifies a maximum name length of 15 characters: http://support.microsoft.com/kb/909264
Workaround: Set the adapter registry key "ForceTerminalServerLookup" and "ForceRASServerLookup" to FALSE value using agentCfg utility provided by adapter. Specify one or more then one target servers for the base point on the Active Directory Adapter service form on IBM Tivoli Identity Manager Server. Specify the target servers which are configured as RAS Server or WTS server. This will resolve RAS and WTS Server lookup issue for Error Code: 1212. Each target server must be separated by '|' (Pipe character)
For example: Base Point DN on the service form with only one target server: DC01/OU=engineering,DC=irvine,DC=IBM,DC=com
Base Point DN on the service form with more than one target server: DC01|DC02|DC03/OU=engineering,DC=irvine,DC=IBM,DC=com
For more detail on configuring user basepoint, please refer the section "Configuring the Users Base Point for the adapter" in Active Directory Adapter Installation and Configuration Guide.
|
||||||||||||||||||||
|
|
|
Issue with Special Characters during Recon Operation:
Reconciliation will fail on IBM Tivoli Identity Manager if an attribute’s value in recon entry contains one or more of the special characters listed in the below table which are not transformed to their equivalent XML format. When ADK reads an attribute’s value it searches for each of the XML transformed value, as listed in below table, in the value string. If it finds any one of these then it considers that entire string is already transformed and will not perform any transformation on that string. In this case ADK does not attempt to check if there are any untransformed special characters in the string. If the value contains other untransformed special characters then they are not transformed by ADK. When IBM Tivoli Identity Manager processes such recon entries they will be failed.
For Example: Example 01: If the value of Description attribute of a user account on Active Directory is “My String & < > END". After reconcile the ITIM server fails this request with following error.
CTGIMD106E An error occurred while processing the request. Error: The content of elements must consist of well-formed character data or markup.
Here the character < (less than) is not transformed by ADK. This is because ADK found the substring & in the string and considered that the string is already transformed.
Example 02: If the value of Description attribute of a user account on Active Directory is “My String & & > END". After reconcile the ITIM server fails this request with following error.
CTGIMD106E An error occurred while processing the request. Error: The entity name must immediately follow the '&' in the entity reference.
This is an error for "unknown entity section" because the "&" is assumed to begin an entity reference. Here the character & (ampersand) is not transformed by ADK. This is because ADK found the substring & in the string and considered that the string is already transformed.
Example 03: If the value of Description attribute of a user account on Active Directory is “My String & & < END". After reconcile the ITIM server fails this request with following error.
CTGIMD106E An error occurred while processing the request. Error: The reference to entity "lt" must end with the ';' delimiter.
The first & doesn't end with a semicolon ';'. This is because ADK found the substring & in the string and considered that the string is already transformed.
Workaround: Modify the attribute value in such a way that either all the special characters in the value are replaced by their corresponding XML transformation or none are.
Example 04: If the value of Description attribute of an user account on Active Directory is "My String & END" After reconcile the value displayed on ITIM account form is "My String & END".
This will not cause any error or failure in the recon but the value displayed on IBM Tivoli Identity Manager’s Account form is not the same as what is on Active Directory. This is because IBM Tivoli Identity Manager does a reverse transformation to get the original character. In this case & will be replaced with & on IBM Tivoli Identity Manager
Avoid the use of above special characters in attribute value.
|
||||||||||||||||||||
|
|
|
Adapter based event notification not able to notify updates in attribute of type DNWithBinary to IBM Tivoli Identity Manager.
You have extended adapter to manage attribute of type DNWithBinary. You have USER1 who’s attribute of type DNWithBinary, for example, otherWellknowObjects contain DN of USER2. If you move or rename USER2 thereby changing DN, the change will be reflected in otherWellknownObjects attribute of USER1. The “object DN” part of value related to USER2 will be updated with new DN.
The adapter based event notification is not able to identify this change in user1
Example:
Consider we have two users USER1 and USER2.
USER1’s otherWellknownObjects attribute contains B:32:df447b5eaa5b11d28d5300c04f79ab81: CN=USER2,ou=myou,dc=mydomain,dc=com
If you move USER2 to different container say myou2, the DN of USER2 changes to CN=USER2,ou=myou2,dc=mydomain,dc=com
Active Directory updates the USER1’s otherWellknownObjects with new DN of USER2 as B:32:df447b5eaa5b11d28d5300c04f79ab81: CN=USER2,ou=myou2,dc=mydomain,dc=com
Even though USER1 is modified in such scenario it is not get notified by the adapter based event notification. The value of the extended attribute is not changed on IBM Tivoli Identity Manager. It will show old value i.e. B:32:df447b5eaa5b11d28d5300c04f79ab81: CN=USER2,ou=myou,dc=mydomain,dc=com
Workaround:
To update modified user i.e. USER1 on IBM Tivoli Identity Manager in such scenario we need to perform lookup for USER1 or full Recon.
|
||||||||||||||||||||
|
|
|
Adapter based event notification not able to notify updates to IBM Tivoli Identity Manager when all values of attribute are deleted directly on Active Directory
Active Directory treats some attributes differently for example: mail, info, otherWellknownObjects, msRTCSIP-UserPolicy etc. For such attributes when all the values of the attribute are deleted from Active Directory, the attribute also get deleted from the user object.
Since the attribute is deleted from Active Directory, The adapter based event notification does not identify such deleted attribute and so IBM Tivoli Identity Manager is not updated.
Workaround:
To clear all values from the IBM Tivoli Identity Manager perform full recon or Lookup operation
|
||||||||||||||||||||
|
|
|
Windows Active Directory Adapter does not support Replace operation format for ProxyAddress and UM Addresses (Extensions) attribute when using unified messaging feature for Mailbox.
Proxy Address and UM Addresses (Extensions) attributes are treated differently on ITIM, even though both are stored on Windows Active Directory under same attribute Proxy Address.
On ITIM when we add UM Addresses (Extensions) in editable text list. Which is stored on the Active Directory in user object under the Proxy address attribute however on ITIM it display all extension values under UM Addresses (Extensions) attribute.
While using REPLACE operation type for proxy address it will send value with operation type replace for all the new added values (Consider a case when Proxy Address attribute does not contain any UM Addresses (EUM) on ITIM account form ) and also the old values which were set for Proxy Address on ITIM. In this case because of API limitation Active Directory Adapter will clear all the values of proxy addresses which in turn also clear UM Addresses (Extensions) value on Active Directory.
While using ADD/DELETE operation type for Proxy Addresses or UM Addresses (Extensions) it will send value with operation types ADD/DELETE and Active Directory adapter accordingly ADD/DELETE the values in Proxy Address attribute on Active Directory.
Workaround: Use ADD/DELETE operation format for Proxy Address and UM Addresses (Extensions) attribut when using unified messaging feature for mailbox
|
||||||||||||||||||||
|
|
|
Issue with IBM Tivoli Identity Manager while performing Reconciliation/Filtering operation.
IBM Tivoli Identity Manager returns error for Unified Messaging MailBox Policies which contains below special characters while Reconciliation/Filtering operation.
IBM Tivoli Identity Manager returns error while opening user’s account for modification if the user’s Unified Messaging Mailbox Policy attribute (which is having Dropdown Box) value contains below special characters.
Example:
§ If user has Unified Messaging Mailbox Policy attribute with value “CN=TestPolicy<1,CN=UM Mailbox Policies,CN=Exchange First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=orion,DC=com”
The following error will appear on ITIM form while opening account for modification. CTGIMU552E Error Occurred while communicating with server CTGIMU576E An error occurred while trying to retrieve custom form
Workaround: Avoid the use of above special characters for Unified Messaging Mailbox Policy.
|
See the IBM Tivoli Identity Manager Adapter Installation Guide” for detailed instructions.
The following corrections to the Installation Guide apply to this release:
1. Chapter 6. Configuring the adapter for IBM Tivoli Identity Manager -> Configuring event notification -> Modifying an event notification context -> Adding search attributes for event notification
One more attribute, erADGroupBasePoint, needs to be added to the list of Reconciliation Attributes Passed to Agent for an event notification context.
The valid attributes for the Active Directory Adapter are:
· erADBasePoint
· erADGroupBasePoint
· erADDomainUser
· erADDomainPassword
If you modify these attributes, the new value must be the same as what is entered on the adapter service form. If the field is blank on the service form, you do not have to specify an attribute value.
2. PMR 33834,999,760 -
WinADAdapter failed to load exschema.txt at system bootup
Chapter 9. Troubleshooting -> Warnings and error messages -> Table 17
Correction to Recommended Action for error message “Error binding to schema container error code. Loading of extended schema attribute attribute name failed. "
|
Error message |
Recommended action |
|
Error binding to schema container error code. Loading of extended schema attribute attribute name failed. |
(Existing recommendations are also valid) When the adapter service is started, the adapter reads exschema.txt and binds to the default domain i.e. domain in which adapter is running to check the syntax of the specified attribute. Since checking the syntax of extended attribute is one time process it is done at the startup. If adapter fails to bind to the default domain then it will not manage any of the extended attributes. Ensure that:
|
When compliance alerts are enabled on IBM Tivoli Identity Manager, it is observed that the alerts keep alarming for user account class' 'cn' attribute. This is because of the fact that the attribute 'cn' in IBM Tivoli Identity Manager's schema is multi-valued where as the corresponding attribute on Active Directory 'cn' is single valued.
A new attribute is added in schema under erADAccount class with following details.
Attribute Name: erADFullName
OID: 1.3.6.1.4.1.6054.3.125.2.159
Description: Custom Common Name attribute
Data type: String
Custom Label: Full name
When the compliance alerts on Tivoli Identity Manager are enabled, avoid using the cn attribute on the account form. This issue may occur when alert non-compliance policy enforcement is set to automatic. No issue if compliance alerts on Tivoli Identity Manager is set as manual.
A new registry key "UseITIMCNAttribute" is introduced to the set of adapter registry keys. The default value of registry key UseITIMCNAttribute is TRUE. The adapter uses the registry key "UseITIMCNAttribute" to use either the cn or the erADFullName attribute.
When UseITIMCNAttribute = TRUE
- The adapter processes the IBM Tivoli Identity Manager's common schema attribute 'cn' for add, modify, and reconciliation operations.
- If the attribute 'erADFullName' is found in a request, this attribute will be failed by the adapter without considering the value.
When UseITIMCNAttribute = FALSE
- The adapter processes the erADFullName attribute for add, modify, and reconciliation operations.
- If the attribute 'cn' is found in a request, this attribute will be failed by the adapter without considering the value.
To use the erADFullName attribute on the account form, modify the profile using one of the following procedures
I. Modify the erADAccount.xml file of ADprofile.jar and importing the new profile on Tivoli Identity Manager
1. Copy the ADprofile.jar file to a temporary directory, example C:\Temp.
2. Extract the contents of ADprofile.jar file into the temporary directory by running the following command:
cd C:\Temp
jar -xvf ADprofile.jar
The jar command creates the C:\Temp\ADprofile directory, which has all the profile files.
3. From the extracted ADprofile directory, open the erADAccount.xml file in a Text editor and make the following modifications and save the file:
a. Replace the 'cn' attribute on account form with erADFullName attribute
b. Change the attribute used to display on account form of the following attributes to erADFullName:
erADManager
erADEForwardTo
erADEAllowedAddressList
erADERstrctAdrsLs
erADEDelegates
For information about the required modification in erADAccount.xml file, see the table below. (Changes required are marked in blue)
|
Locate the following line(s) in erADAccount.xml file |
Modification required to use erADFullName |
|
<formElement direction="inherit" label="$cn" name="data.cn"> <input type="text" size="50" name="data.cn"/> |
<formElement direction="inherit" label="$eradfullname" name="data.eradfullname"> <input type="text" size="50" name="data.eradfullname"/> |
|
<formElement direction="inherit" label="$eradmanager" name="data.eradmanager"> <searchFilter type="input"> <filter>(&(objectclass=erADAccount)(eraddistinguishedname=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>cn</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
<formElement direction="inherit" label="$eradmanager" name="data.eradmanager"> <searchFilter type="input"> <filter>(&(objectclass=erADAccount)(eraddistinguishedname=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>erADFullName</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
|
<formElement direction="inherit" label="$eradeforwardto" name="data.eradeforwardto"> <searchFilter type="input"> <filter>(&(objectclass=erADAccount)(erADEAlias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>cn</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
<formElement direction="inherit" label="$eradeforwardto" name="data.eradeforwardto"> <searchFilter type="input"> <filter>(&(objectclass=erADAccount)(erADEAlias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>erADFullName</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
|
<formElement direction="inherit" label="$eradeallowedaddresslist" name="data.eradeallowedaddresslist"> <searchFilter multiple="true" type="select"> <filter>(&(objectclass=erADAccount)(erADEalias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>cn</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
<formElement direction="inherit" label="$eradeallowedaddresslist" name="data.eradeallowedaddresslist"> <searchFilter multiple="true" type="select"> <filter>(&(objectclass=erADAccount)(erADEalias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>erADFullName</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
|
<formElement direction="inherit" label="$eraderstrctadrsls" name="data.eraderstrctadrsls"> <searchFilter multiple="true" type="select"> <filter>(&(objectclass=erADAccount)(erADEalias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>cn</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
<formElement direction="inherit" label="$eraderstrctadrsls" name="data.eraderstrctadrsls"> <searchFilter multiple="true" type="select"> <filter>(&(objectclass=erADAccount)(erADEalias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>erADFullName</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
|
<formElement direction="inherit" label="$eradedelegates" name="data.eradedelegates"> <searchFilter multiple="true" type="select"> <filter>(&(objectclass=erADAccount)(erADEalias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>cn</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
<formElement direction="inherit" label="$eradedelegates" name="data.eradedelegates"> <searchFilter multiple="true" type="select"> <filter>(&(objectclass=erADAccount)(erADEalias=*)(erADDistinguishedName=*)(!(erisdeleted=Y)))</filter> <base>global</base> <attribute>erADFullName</attribute> <sourceAttribute>erADDistinguishedName</sourceAttribute> <delimiter></delimiter> <size></size> <width>300</width> <objectClass>erADAccount</objectClass> <showQueryUI>false</showQueryUI> <paginateResults>false</paginateResults> </searchFilter> </formElement> |
4. Run the following command to create new jar file:
cd C:\Temp
jar -cvf ADprofile.jar ADprofile
Note: The directory name and profile name is case sensitive, use the same case as above.
5. Import the new ADprofile.jar file on Tivoli Identity Manager.
II. Use "Form Customization" on Tivoli Identity Manager
1. Modify the account form of Windows Active Directory profile using Form Customization:
2. Remove the ‘cn’ attribute from the “User” tab
3. Add the ‘erADFullName’ attribute to the “User” tab
4. Change the attribute used to display on account form of the following attributes to erADFullName
erADManager
erADEForwardTo
erADEAllowedAddressList
erADERstrctAdrsLs
erADEDelegates
Refer to the information center or the online help for information about using Form Customization.
The following note is no longer applicable. Changes has been made to the Windows Active Directory Adapter to suppress the user interface showed during installation of run time files from Microsoft for silent installation.
Note: The adapter installs run time files from Microsoft. The installers for these run times show some user interfaces and you cannot suppress these user interfaces.
(For IZ67106 - INTERMITTENT 0X80004002 ERRORS WHEN ATTEMPTING TO MANAGE/PROVISION MAILBOXES)
Error message
errorMessage="Unable to contact Exchange services. ADSI Result code: 0x80004002"
Recommended action:
The Exchange provider uses Collaboration Data Objects for Exchange Management (CDOEXM) for a user object. CDOEXM makes use of several static variables, since the lifetime of these variables last until process end. These static variables were being reallocated every time CDOEXM was loaded.
Since all CDOEXM work was done in the lifetime of the worker thread, CDOEXM was being loaded and unloaded repeatedly. Under certain conditions, CDOEXM is incorrectly marked as initialized, though CDOEXM is not fully initialized. Therefore, later attempts to use CDOEXM do not succeed.
You can use the new feature “Thread Pooling" of Windows Active Directory Adapter.
Additional information can be found under the “Configuration Notes->Enable/Disable “UseThreadPooling"" section.
Modify Property 'READ_TIMEOUT':
Type the time out value for IBM Tivoli Identity Manager and the adapter connection in seconds.
This applies to setups that have a firewall between IBM Tivoli Identity Manager and the adapter. This firewall has a time out value that is less than the maximum connection age DAML property on IBM Tivoli Identity Manager. When your transactions run longer than the firewall time out,
the firewall terminates the connection. The sudden termination of connections might leave the adapter with incorrect connection threads causing the adapter to crash.
When the adapter crashes randomly because of the specified setup, change the value for the READ_TIMEOUT. The value must be in seconds and less than the firewall’s time out value.
The registry key “LyncDisableSearch" has been added to allow disabling of the Lync attributes that can significantly affect the performance during a search request. Setting this value to “TRUE" will cause the Lync attributes that are not stored as LDAP values, and must be retrieved with a powershell call, to not be included in the search results.
Section "Adapter user account creation"
The following paragraph is incorrect:
The account information must be supplied on the Active Directory Adapter service form. See “Creating an adapter service” on page 14 for information about creating a service.
Furthermore, you must not supply the account information on the service form. The following two fields on the adapter service form are not used and must be blank:
Administration User Account
Administration User Password
è The adapter user account, used by the adapter to manage AD/Exchange/Lync, must be supplied on the logon tab of the Windows Adapter Service.
The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
The following configuration notes apply to this release:
NOTE: the “supported configurations" diagrams have been moved into the Installation Guide.
NOTE: While processing a user add request, if the ADSI API SetPassword of IADsUser interface fails to set password, the adapter will delete newly created user from Active Directory and fail the user add request. This is to prevent a user account from being created without a password.
The following corrections to the Installation Guide apply to this release:
Prerequisites
The Lync interface uses a remote powershell session with the Lync 2013 server to manage Lync attributes. This means that it is not necessary to install the Lync management tools on the machine that is running the adapter. However, it does require that the machine running the adapter has Powershell 2.0 and the Execution Policy allows local scripts to be run ( RemoteSigned or Unrestricted ).
The Exchange interface now uses a remote powershell session with the Exchange 2010 or 2013 server to manage Exchange attributes. This means that it is no longer necessary to install the Exchange management tools on the machine that is running the adapter when managing Exchange 2010 or 2013. However, it does require that the machine running the adapter has Powershell 2.0 and the Execution Policy allows local scripts to be run ( RemoteSigned or Unrestricted ).
The WinAD64 adapter supports Exchange 2007/2003 co-existence mode but Microsoft lists several important limitations. The adapter enforces these same limitations (see Microsoft link below).
- Exchange 2007 mailboxes must be managed with Exchange 2007 management console or shell.
- Exchange 2007 mailboxes MUST NOT be managed with Exchange 2003 tools. Note that this is not blocked, but mailboxes managed from Exchange 2003 ADUC will not be fully functional.
- Exchange 2003 mailboxes can be edited or removed with Exchange 2007 tools, but cannot be created by Exchange 2007 tools.
- Both Exchange 2003 and Exchange 2007 mailboxes can be moved (in either direction) with the Exchange 2007 tools. Exchange 2003 move mailbox cannot be used to move mailboxes to or from Exchange 2007 mailbox server.
Based on the above restrictions, the WinAD64 adapter has the following capabilities:
- Exchange 2007 mailboxes can be fully managed
- Exchange 2003 mailboxes can only be modified. Attempts to create a mailbox on Exchange 2003 will fail.
WARNING: The WinAD64 adapter is not designed to convert mailboxes to 2007 format.
While it is possible for the WinAD64 adapter to move a mailbox from a 2003 mailbox to a 2007 mailstore, doing so will cause a conversion of the mailbox. The conversion may cause the TIM transaction to time out. Converting mailboxes is not a supported function of the WinAD64 adapter; use the Exchange 2007 tools to convert mailboxes.
For additional Exchange information, please refer to Microsoft web-based resources:
http://msexchangeteam.com/archive/2006/10/09/429135.aspx
This release does not support running the adapter in Federal Information Processing Standards (FIPS) mode.
The Agent returns the actual, effective permissions granted to a user and not the specific access assigned to the user account. For example, if the directory grants FULL permission to the Everyone group but only CHANGE permission to the user's account, a reconciliation request will return the account access permission as FULL. Therefore, it is necessary to properly define the policies local to the managed resource prior to using Tivoli Identity Manager to prevent these types of conflicts.
Per Microsoft's documentation, the Active Directory Users and Computers MMC snap-in will display the account expiration date as one day earlier than the date contained in the accountExpires attribute. The Tivoli Identity Manager Server will display the value contained in the account expires attribute.
The password properties are specific to the account. However, these properties can be overridden by the security policies of the managed resource (Domain Controller Security Policies, Domain Security Policies, and Local Security Policies).
The Languages attribute (eradelanguages) is an Exchange attribute. If using a configuration without Exchange, setting this attribute will return a warning. Do not confuse this attribute with (eradlanguages) which is an account attribute and is not included on the default account form.
NOTE: If a Reconciliation is run while the Active Directory server is under load, a logging message may appear in the WinAD Adapter log that says, “Error_More_Data. " The Adapter is designed to retry the query three times before terminating the Reconciliation. Please see the Microsoft Knowledge base article below for more information.
When the IDirectorySearch::GetNextRow function returns S_ADS_NOMORE_ROWS, it may not have retrieved all the data from the server. In some cases, S_ADS_NOMORE_ROWS is returned by GetNextRow function when the server was unable to find an entry that matched the search criteria within a predefined two-minute time limit. This two-minute time limit is defined by means of an LDAP policy.
If the server exceeds the two-minute time limit, it returns an LDAP cookie in the response so that you can restart the search where it left off. Inefficient searches and heavily loaded systems can cause the server to exceed the time limit. When the server cannot find an efficient index to search, the server may have to apply the filter to every object in the directory, in which case it can run through many entries and not find a match within the two-minute time limit.
Therefore, when returning S_ADS_NOMORE_ROWS, ADSI also sets an extended error code, which can be queried using ADsGetLastError function. If ADsGetLastError returns ERROR_MORE_DATA, it means that the server has not completed the query and must call GetNextRow again.
The AD Agent code is structured as per the logic above and what Microsoft has advised. It attempts to get data from the paged result in max 3 attempts. If the AD Agent is running on AD server itself, Moving the AD Agent onto a different machine would take off some load from AD server.
In addition to this Microsoft has provided an article as how to configure the LDAP policy so as to customize the Active Directory searches. http://support.microsoft.com/kb/315071/EN-US/.
Agent will use WTS ADSI API’s or old style WTS API’s to set or retrieve WTS attributes. Agent will try to use WTS ADSI API’s, if it fails to get interface or attribute is not supported then agent will use old style WTS API’s.
If agent is running on Windows 2003 then agent will use WTS ADSI API’s. On Windows 2000 agent will use old style WTS API’s.
From log it can be found out which WTS API’s agent is using. The following attributes are not supported by WTS ADSI APIs, these attributes are set using old style WTS APIs on Windows 2000 and Windows 2003:
- Inherit Initial Program
- WTS Callback Settings
- WTS Callback Number
- WTS Remote Home Directory
If debug logging is enabled, then agent will show lines like:
q Start using extended interface for WTS Attributes for getting WTS attribute.
q Start using extended interface for WTS Attributes for setting WTS attribute.
q End using extended interface for WTS Attributes for setting WTS attribute.
q End using extended interface for WTS Attributes for getting WTS attribute.
This means agent is using WTS ADSI API’s.
If log is showing lines like:
q Using old style API for WTS Attributes for getting WTS attribute
q Using old style API for WTS Attributes for setting WTS attribute
This means agent is using old style WTS API’s.
The lastLogonTimeStamp attribute is available on Windows 2003 domain functional level and is replicated. The default replication interval is 14 days. You can configure the replication policy on Active Directory to increase the default replication interval for this attribute so that this attribute can be used as a basis for Dormant Account reporting.
Note: The attribute erADLastLogonTimeStamp is not visible on account form. To bring it on account form, form customization is required.
(Applicable only for setups using Windows Active Directory Profile shipped with Adapter-WinAD-4.6.22)
If you are upgrading from IBM Tivoli Identity Manager v4.6 and have the Windows Active Directory profile shipped with Adapter-WinAD-4.6.22 (build 4.6.1024) imported, it is required to change the OID of erADExDialin attribute before upgrading to v5.1. The profile shipped with Adapter-WinAD-4.6.22 defines the erADExDialin attribute using OID “1.3.6.1.4.1.6054.3.125.2.138”. Later the OID of this attribute is modified to “1.3.6.1.4.1.6054.3.125.2.145” to be compatible with Windows Active Directory x64 Adapter.
Perform the following steps before upgrading the v5.1:
1. Stop the IBM Tivoli Identity Manager Server.
2. Stop the IBM Tivoli Directory Server Instance (LDAP service).
3. Locate the V3.modifiedschema file under the IBM Tivoli Identity Manager LDAP instance home directory.
4. Create a backup of the V3.modifiedschema file, for example V3.modifiedschema.backup.
5. With a text editor, open the V3.modifiedschema file and locate the "1.3.6.1.4.1.6054.3.125.2.138" string.
6. Replace "1.3.6.1.4.1.6054.3.125.2.138" with "1.3.6.1.4.1.6054.3.125.2.145"
7. Save the file V3.modifiedschema and exit the editor.
8. Start the IBM Tivoli Directory Server Instance (LDAP service).
9. Start the IBM Tivoli Identity Manager Server.
When you request a user account on Active Directory with mail status on Exchange 2007, the create mailbox or mail-enable the newly created user account might fail with error message User does not exist. This behavior is due to replication delay, Exchange 2007 may not find the user account on a Domain Controller when the Domain Controller queried for the user account is not the same on which it is created.
The solution here is to target both the following operations to the same Domain Controller:
- Create User account operation.
- Exchange 2007 operation, to either mailbox enable or mail-enable the user account.
To specify a target server use the Users Base Point DN’ on IBM Tivoli Identity Manager’s Active Directory profile service form. The Base Point must contain the name of the Domain Controller.
Example
Users Base Point DN: DC01/ou=Test,dc=MyDomain,dc=com.
For more information on how to specify Users Base Point DN please refer to Configuring the Users Base Point for the adapter in Active Directory Adapter with 64–bit Support User Guide.
The adapter is enhanced to support msExchMailboxTemplateLink Exchange attribute. The adapter will now, along with user, group, container, and mailbox store entries, also reconcile Folder Mailbox Policies created on Exchange 2007 Servers.
A new support data object class erADMBFldPolicy is added to Windows Active Directory profile schema. The erADAccount class now has a new attribute erADEMailboxFolderPolicy, on the ‘Mail Settings’ tab of account form with label “Managed Folder Mailbox Policy “ and a search widget. This attribute maps to msExchMailboxTemplateLink attribute on Active Directory. The erADEMailboxFolderPolicy attribute holds the DN of the Folder Mailbox Policy assigned to the mailbox. When an account is viewed on account form, the name of the Folder Mailbox Policy set for the mailbox is displayed. For an ADD/MODIFY user request, the DN of the selected Folder Mailbox Policy is provided to the adapter.
To reconcile Folder Mailbox Policies the adapter binds to the RootDSE of the domain in which it is installed. The object class erADMBFldPolicy is supported for Adapter Based Filtering but not for Adapter Based Event Notification.
A Full Reconciliation or Support Data Reconciliation must be performed to get the Folder Mailbox Policies from Active Directory.
The adapter now supports mapping of attribute names for extended attributes. With this enhancement a different attribute name can be used on IBM Tivoli Identity Manager than the attribute name on Active Directory.
As before the exschema.txt file will be used to specify the extended attributes. If required to use a different attribute name on IBM Tivoli Identity Manager than the attribute name on Active Directory, specify the attribute name in exschema.txt file in the following format:
Attribute name on IBM Tivoli Identity Manager followed by a pipe ‘|’ and then followed by the attribute name on Active Directory.
For example,
erADUserInfo|info
As before there should be only one attribute on each line.
If you wish to use the same attribute name on IBM Tivoli Identity Manager as on Active Directory, then use the existing format i.e. just give the Active Directory side attribute name.
For example,
Info
Or
Info|Info
Both the above forms are valid, use either one.
Note:
- When you use a different attribute name for IBM Tivoli Identity Manager ensure that the attribute name rules, as defined by the Directory Server used, are followed.
- The attribute name must not have a ‘|’ in the attribute name.
The adapter is enhanced to alter a delay between setting of Exchange 2007 Mailbox Permission attributes. It is observed in some Exchange 2007 setups, that the adapter might not set the mailbox permission attributes properly. If four of the mailbox permission attributes are modified, the request will complete with SUCCESS but only the last permission attribute in the request will take effect. The adapter will also log any failure message returned from exchange setup.
A new registry key “SetMailboxPermissionDelay" is introduced to the set of adapter registry keys.
The default value of this key is 0 (zero) seconds. With the default value no delay is introduced when setting mailbox permission attributes.
If in you experience a similar issue, where of the mailbox permission attributes modified only the last permission attribute is set and the request completes with SUCCESS, make use of the registry key SetMailboxPermissionDelay. Set this registry key to a non-zero integer value using agentCfg utility. The adapter uses the value set for this registry key and waits for the number of seconds as specified for the key. Ideally a value of 20 seconds for SetMailboxPermissionDelay resolves the issue.
The adapter works as follows when it comes to setting mailbox permission attributes:
1. Check if the Permission attribute requested is already set (say as Allow or Deny)
a. If yes, remove the permission set using Remove-MailboxPermission cmdlet.
b. Wait for the number of seconds specified for SetMailboxPermissionDelay.
2. Add the permission, if required, using Add-MailboxPermission.
3. Wait for the number of seconds specified for SetMailboxPermissionDelay before going to next permission attribute in the request.
Please see the following cases for more detail:
Assuming that the registry key SetMailboxPermissionDelay is set to 20 seconds.
CASE 1:
Assume all the exchange mailbox permission attributes are set to “NONE” for a mailbox. You wish to modify all the permission attributes to “Allow" or “Deny". As per the procedure described above, the total delay incurred by the adapter can be calculated as:
Total delay = (Value of registry key SetMailboxPermissionDelay) * (Total number of permission attributes in the request) * (Number of cmdlets executed by the adapter for a permission attribute)
In this case, since there is no permission set previously so only Add-MailboxPermission will be executed for each permission attribute in the request.
That is,
Total delay = 20 * 6 * 1 = 120 seconds.
The above is also applicable when a new mailbox is created with all the permission attributes set to “ALLOW” or “DENY”.
CASE 2: (Worst case)
Assume all the exchange mailbox permission attributes are set to “ALLOW” for a mailbox. You wish to modify all the permission attributes to “DENY”. As per the procedure described above, the total delay incurred by the adapter can be calculated as:
Total delay = (Value of registry key SetMailboxPermissionDelay) * (Total number of permission attributes in the request) * (Number of cmdlets executed by the adapter for a permission attribute)
In this case, the permissions are set previously so both Remove-MailboxPermission and Add-MailboxPermission will be executed for each permission attribute in the request.
That is,
Total delay = 20 * 6 * 2 = 240 seconds.
The above is also applicable when all the exchange mailbox permission attributes are set to both “ALLOW” & “DENY” and you want to set all the exchange mailbox permission attributes to “NONE”. Here adapter will execute two Remove-MailboxPermission powershell cmdlet to remove that particular attribute from”DENY" then from “ALLOW”. So for each attribute two powershell cmdlets are executed.
The adapter setup includes a C# COM library, Exchg2k7.dll, to perform exchange 2007 specific operations. The library Exchg2k7.dll depends on few Microsoft Exchange 2007 libraries. To locate these dependant libraries it uses a default hard coded path
“C:\Program Files\Microsoft\Exchange Server\bin\”
When the exchange server/tools are not installed on this default path, some of the exchange 2007 feature provided by the adapter fails.
To overcome this, the adapter is modified to find the exchange server/tool’s installation path using windows registry “\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\v8.0\Setup\MsiInstallPath”
The path pointed out by the above registry key is now used to locate the dependant Microsoft Exchange 2007 libraries. If adapter fails to find the registry key it will use the default installation path as “"%ProgramFiles%\Microsoft\Exchange Server\bin\”
Here "ProgramFiles" is folder path to Windows Program Files.
The adapter functionality is enhanced to check the user account’s lock status on Active Directory and accordingly succeed or fail account lock or unlock request. This helps in getting the account’s status without use of reconciliation or event notification.
The adapter behaves as follows:
1. When a user lock request is submitted from IBM Tivoli Identity Manager and if the account is already locked on Active Directory, then the adapter will succeed the account lock request.
2. When a user lock request is submitted from IBM Tivoli Identity Manager and if the account is un-locked on Active Directory, then the adapter will fail the account lock request.
3. When a user unlock request is submitted from IBM Tivoli Identity Manager, then the adapter will succeed the account unlock request. This holds true regardless of whether the account is locked or unlocked on Active Directory.
Note: You can not lock account on Active Directory externally. Active Directory locks account after set number of failed logon attempts.
The adapter’s reconciliation and event notification functionality is modified to return un-escaped value for erGroup attribute when the registry key UseGroup is set to CN
IZ67106 - INTERMITTENT 0X80004002 ERRORS WHEN ATTEMPTING TO MANAGE/PROVISION MAILBOXES
There is an issue In the Microsoft CDOEXM library used by Windows Active Directory Adapter to perform Exchange tasks. A ticket was also opened with Microsoft, Case ID "SRZ080104000181", for the same.
Agent is redesigned as described in Microsoft Case ID. Adapter now implements thread pool. A predefined number of threads (12) are created at the start of adapter and are used to perform all operations. These threads will be destroyed only at the end i.e. when adapter itself is stopped.
A new registry key "UseThreadPooling" is introduced. By default this key is set to "FALSE" so that existing customers are not affected.
When UseThreadPooling is set to TRUE Thread Pooling is enabled, with all the threads initialized at the start of Agent Service and uninitialized when the Agent service stops.
When UseThreadPooling is set to FALSE Thread Pooling is disabled. In this scenario threads will be created and destroyed on per request.
Thread Pooling can be used in the following scenarios:
1. If you are experiencing high memory usage then set this key to "TRUE".
2. If you are experiencing the following error message during the Exchange related operations.
errorMessage="Unable to contact Exchange services. ADSI Result code: 0x80004002"
a) Updating Windows Active Directory Adapter in GUI mode
Use the adapter update option:
· If you want to keep the adapter configuration (registry keys and certificates) unchanged.
If update installation option is selected, the installer detects the path of the existing installed adapter. If no prior installation of the adapter is found on the system, the installer will display an error message. The installer replaces the binaries and the DLLs of the adapter and the ADK. The installer does not prompt for any configuration information during an update installation.
Note: Adapter related registry keys are not modified. The update installation does not create a new service for the adapter.
During an update, in order to maintain all of your current configuration settings, as well as the certificate and private key, do not uninstall the old version of the adapter before installing the new version. For more information on how to install the adapter, see "Installing the adapter" in Installation Guide
In order to update an existing adapter, complete the following steps:
1. If you downloaded the installation software from Passport Advantage, perform the following steps:
a. Create a temporary directory on the computer on which you want to install the software.
b. Extract the contents of the compressed file into the temporary directory.
2. Start the installation program with the SetupAD64.exe file in the temporary directory.
3. Select the language and click OK to display the Introduction window.
4. On the Introduction window, click Next to view the Software License Agreement.
5.
Do the
following at the Software License Agreement window:
- Review the license agreement and select Accept .
- Click Next.
6. Select Update installation option and click Next
Note: The adapter must already exist if you want to perform an update installation. If it does not exist, the software generates the following message:
Update not supported when the adapter is not previously installed.
Cannot perform Update Installation. IBM Tivoli Windows Active Directory Adapter (64 Bit) is not installed on this machine. Please select Full Installation.
7. The adapter will display the path of the adapter installation which will be updated. Click OK to view the pre-Installation Summary.
8. Review the installation settings on the pre-Installation Summary window and click on Install
9. Click Done on the Install Complete window.
b) Updating Windows Active Directory Adapter by using silent mode
You can use the -i silent option to update the adapter in silent mode.
Note:
- If you install adapter in silent mode, the uninstaller runs in silent mode irrespective of whether you are using -i silent option or not.
Installing the adapter with command line parameters
You can use any of the following commands to perform update installation of the adapter in silent mode.
1. SetupAD64.exe -i silent -DLICENSE_ACCEPTED=TRUE -DUSER_INPUT_INSTALL_TYPE_1= -DUSER_INPUT_INSTALL_TYPE_2=\"Update Installation\" -DUSER_INPUT_INSTALL_TYPE_BOOLEAN_1=0 -DUSER_INPUT_INSTALL_TYPE_BOOLEAN_2=1
2. SetupAD64.exe -i silent -DLICENSE_ACCEPTED=TRUE -DUSER_INPUT_INSTALL_TYPE_BOOLEAN_1=0 -DUSER_INPUT_INSTALL_TYPE_BOOLEAN_2=1
Note:-
1. The installer itself
detects if the adapter is already installed on the system on which this command
is executed. For this the installer refers to the adapter registry keys.
The installer proceeds with updating the adapter only if it successfully
detects a prior installation of the adapter on the system.
If no prior installation is found on the system, the installation is aborted
and a log file
IBM_Tivoli_Windows_Active_Directory_Adapter_(64_Bit)_InstallLog
is generated with this information in the Desktop.
.
2. When performing Update Installation the -DUSER_INSTALL_DIR must never be used.
Updating the adapter in silent mode by using the response file
Generating the response file
You can use response file to provide inputs during silent installation. Response file can be generated by running the following command.
SetupAD64.exe -r "Full path of response file"
For example:
SetupAD64.exe -r "C:\Temp\WinAD64AdapterResponse.txt"
This runs the installer in interactive mode and installs the adapter.
After the installation completes the file specified as "Full path of response file" will be created containing the required parameters.
Note:
If you are running this command to only generate the response file, you must uninstall the adapter by using the uninstaller.
Creating the response file manually
You can also manually create the response file and add the required parameters to the file.
Create a text file, for example WinAD64InstallParameters.txt, with the following content:
#Has the license been accepted
#-----------------------------
LICENSE_ACCEPTED=TRUE
#Select Install Type
#-------------------
USER_INPUT_INSTALL_TYPE=\"\",\"Update Installation\"
USER_INPUT_INSTALL_TYPE_1=
USER_INPUT_INSTALL_TYPE_2=Update Installation
USER_INPUT_INSTALL_TYPE_BOOLEAN_1=0
USER_INPUT_INSTALL_TYPE_BOOLEAN_2=1
After you create the response file you can use it to provide parameters to the installer for updating the adapter using silent installation as:
SetupAD64.exe -i silent -f "Full path of response file"
For example,
SetupAD64.exe -i silent -f "C:\WinAD64InstallParameters.txt"
Note: Restart the workstation after you install or uninstall the adapter.
With this release the adapter supports provisioning of mailbox enabled and mail enabled users on Exchange Server 2010.
The procedure to mailbox or mail enable a user account using IBM Tivoli Identity Manager remains same as with Exchange server 2007.
- To mailbox enable a user account, an Exchange 2010 mailbox store must be selected for Mailbox Store attribute on account form. Optionally you can also specify value for Alias attribute to use as the preferred alias.
- To mail enable a user account specify value for Target Address attribute on account form. Optionally you can also specify value for Alias attribute to use as the preferred alias.
Note: - Adapter uses the value of User Principal Name (UPN) attribute for identity parameter for all cmdlets used for provisioning user accounts.
The alias attribute value can contain:
· Characters from A to Z (lowercase and uppercase)
· Digits from 0 to 9
· Special characters like ` ~ ! # $ % ^ & * - _ = + { } | ‘ , / ?
· One or more periods may be embedded in an alias, but each one of them should be preceded and followed by at least one of the other characters.
The alias attribute value cannot contain:
· Special characters like @ ( ) [ ] \ ; : “ < >
· Space
When value of alias attribute is not specified for mailbox or mail enabling user account, the value of Common Name (cn) attribute will be used for alias by the exchange server. The cn attribute can contain all the special characters, some of which are not allowed for alias attribute. In this case each of the not allowed character will be replaced with a question mark (?) in the alias value.
Proxy addresses will be generated based on the alias value.
Mixed setups where Exchange Server 2007 SP2 and Exchange Server 2010 exist in the same organization:
- Using Exchange Server 2010, new mailboxes cannot be created on an Exchange 2007 mailbox store.
- Mailboxes which are created on Exchange 2007 mailbox stores can be managed using Exchange Server 2010.
- A mailbox which is created on an Exchange 2007 mailbox store can be moved to Exchange 2010 mailbox store and vice versa.
Understanding Move Requests
The adapter only supports moving mailbox locally, i.e. moving mailbox in the same forest. Cross forest mailbox move (remote move) is not supported. As move mailbox is asynchronous in Exchange 2010, the adapter only submits a local mailbox move request using New-MoveRequest cmdlet. The adapter will not wait for the move to complete. The status of submitting the move request will be returned for mailbox store attribute.
Exchange Server 2010 retains the mailbox move requests, even when the move job is completed. When a move request already exists for a mailbox, you cannot move the mailbox again until the move request is removed.
For more detail on the mailbox move requests, please follow the Microsoft link:
http://technet.microsoft.com/en-us/library/dd298174.aspx
Currently adapter does not support any new Exchange Server 2010 feature, except for submitting a move request to move a mailbox while the end user is still accessing it.
The following features are not supported by the adapter:
· Archive Mailbox
· Management of the following Mailbox settings
- Federated Sharing
- Archive Quota
- Mailbox Calendar Settings
· Getting the status of mailbox move requests.
· Removing move requests.
· Ability to appoint a moderator to regulate the flow of messages sent to a distribution group.
· Ability to manage folder-level permissions for all folders within a user's mailbox.
The adapter is enhanced to mail-enable Active Directory groups (also known as distribution groups).
A mail-enabled group (distribution-group) represents a collection of recipient objects. Its purpose is to speed up the distribution of messages to multiple e-mail addresses.
With this enhancement the adapter supports the following new group management features:
· Mail-enable a Universal group
· Mail-disable already mail-enabled group.
Note: - Using Exchange 2007 or Exchange 2010, only the following group types can be mail-enabled
- Security Group - Universal
- Distribution Group – Universal
Profile Changes:
The erADGroup object class is extended to include new optional attributes to hold values for group exchange attributes. Following are the new attributes and their corresponding object IDs and group form labels:
|
Attribute Name |
OID |
Label |
|
erADEGroupAlias |
1.3.6.1.4.1.6054.3.125.2.169 |
Alias |
|
erADEGroupAutoGenEmailAddrs |
1.3.6.1.4.1.6054.3.125.2.170 |
Auto Generate Email Address |
|
erADEGroupHideFromAddrsBk |
1.3.6.1.4.1.6054.3.125.2.171 |
Hide From Address Book |
|
erADEGroupProxyAddresses |
1.3.6.1.4.1.6054.3.125.2.172 |
Proxy Addresses |
|
erADEGroupShowInAddrBook |
1.3.6.1.4.1.6054.3.125.2.173 |
Member of Address Book |
The group form is modified to include the following tabs:
· Group General
· Group Mail
All the existing group attributes are moved to Group General Tab. Group Mail tab holds the above listed new attributes.
To Mail-Enable Groups:
To mail-enable Universal group specify value for Alias attribute on Group Mail tab of group form. When a group is mail-enabled, exchange attributes are added to the group object on Active Directory.
The alias attribute value can contain:
· Characters from A to Z (lowercase and uppercase)
· Digits from 0 to 9
· Special characters like ` ~ ! # $ % ^ & * - _ = + { } | ‘ , / ?
· One or more periods may be embedded in an alias, but each one of them should be preceded and followed by at least one of the other characters.
The alias attribute value cannot contain:
· Special characters like @ ( ) [ ] \ ; : “ < >
· Space
To Mail-Disable Groups:
To mail-disable already mail-enabled group clear the value of Alias attribute on Group Mail tab of group form. This will remove all the exchange attributes from the groups object on Active Directory.
Additionally, using provisioning policy all the group exchange attributes (as listed above) can be added to group mail-disable request with no value. As this is a group mail-disable request, adapter will ignore these attributes. This will help to clear these attributes from group entry in IBM Tivoli Identity Manager’s LDAP.
The adapter does not manage erADEGroupShowInAddrBook attribute, the corresponding Active Directory side attribute (showInAddressBook) is set by Exchange Server. The adapter will reconcile value(s) of this attribute.
OCS support for users that are neither mail enabled nor have exchange mailboxes.
For OCS support Active Directory attribute erADEProxyAddresses needs to be updated. When the user account neither has a mailbox nor is mail enabled, then the adapter will fail modification to erADEProxyAddresses attribute.
To update proxyAddresses attribute on Active Directory make use of extended attributes using exschema.txt file. While setting extended attributes adapter does not check the mail status of the user account.
For example, add the following to exschema.txt file
erADExtendedProxyAddresses|proxyAddresses
This is an instruction to the adapter to manage Active Directory attribute “proxyAddresses" and to use “erADExtendedProxyAddresses" as the corresponding attribute on IBM Tivoli Identity Manager. Please refer to section “MR052609514 - customer wants to use the extend attribute transformed the name on itim side using the AD 5.0.5 adapter on ITIM 4.6 Server. " under “Configuration Notes" in Release Notes on how to specify extended attribute using exschema.txt file
Modify the Active Directory adapter profile, ADprofile.jar, to define a new attribute (erADExtendedProxyAddresses) and add it to erADAccount class in schema.dsml file. Please refer to “Chapter 7. Customizing the Active Directory adapter” in Configuration Notes for details on how to modify ADprofile.jar.
When a full reconciliation or user lookup is performed the values set for erADExtendedProxyAddresses attribute will also be returned for erADEProxyAddresses attribute. This is because both erADExtendedProxyAddresses and erADEProxyAddresses correspond to the same attribute, proxyAddresses, on Active Directory.
Note:
· Adapter will not check for validity of values and their formats specified for Proxy Addresses through extended attribute.
In previous versions, Active Directory profile used attribute erADLastLogon for erLastAccessDate. The attribute erADLastLogon corresponds to lastLogon on Active Directory. The attribute lastLogon of a user account on Active Directory is updated only when the user logs in and is updated only on the DC against which the authentication happens. This attribute is not replicated amongst the DCs in the domain. Tivoli Identity Manager’s dormant account report for Active Directory user accounts may not be accurate. This is because the adapter reads user accounts from a particular DC (specified as target server on service form or returned by DNS server as the nearest one) which can be different than the one using which the user’s authentication has happened.
With this version, Active Directory profile will use attribute erADLastLogonTimeStamp for erLastAccessDate. The corresponding attribute on Active Directory, lastLogonTimestamp, is replicated across DC's. Using erADLastLogonTimeStamp attribute for erLastAccessDate will result in accurate dormant account reports.
To use erADLastLogon for erLastAccessDate will now require changes in resource.def file in ADProfile.jar
Replace following lines of resource.def file
<AttributeMap>
<AttributeName="erLastAccessDate" Value="erADLastLogonTimeStamp" Profile="account"/>
</AttributeMap>
With
<AttributeMap>
<Attribute Name="erLastAccessDate" Value="erADLastLogon" Profile="account"/>
</AttributeMap>
A new registry key, ReconRetryWaitPeriod, is introduced to the set of adapter registry settings to support this enhancement. The default value for ReconRetryWaitPeriod is 300 (seconds)
In an organization, Active Directory always runs in cycles of low and heavy load depending on the number of authentication, replication, account management, and other Active Directory management requests. When Active Directory is observing heavy load and a reconciliation is performed, the adapter gets a special error message from Active Directory (Error_More_Data) indicating that it has not completed with reading all the user accounts and currently its observing a load. Upon this the adapter prints the incidence of this event to the log as “GetNextRow failed. Calling GetNextRow can potentially return more results. Provider: LDAP Provider". The adapter then waits for an interval specified by ReconRetryWaitPeriod registry key (in seconds) and retires again.
The Adapter is designed to retry the query three times before terminating the reconciliation. The adapter waits for a calculated time between each retry attempts, which is calculated as
<RETRY_ATTEMPT_NUMBER> * <VALUE_OF_ ReconRetryWaitPeriod >
For example, when ReconRetryWaitPeriod is set to 40 seconds and the adapter receives Error_More_Data message from Active Directory. The wait period between each retry attempt is calculated as:
1 * 40 = 40 seconds – Before the first retry attempt;
2 * 40 = 80 seconds – Before the second retry attempt
3 * 40 = 120 seconds – Before the third (last) retry attempt.
Use agentCfg to set "ReconRetryWaitPeriod" to a value other than the default 300 seconds.
Note:
· The value for this registry should be numeric and in units of seconds.
· When SearchTimeout is also enabled, the value of ReconRetryWaitPeriod should be less than the value of SearchTimeout.
· The acceptable value for this key is from 0 to 214783647 seconds.
Following table provides few scenarios to set proxy address. Please note that not all scenarios are covered in this table.
NOTE: If the request contains a Proxy Address value which is already present or generated on Active Directory then adapter will ignore this and will return success for that proxy address value.
|
Sr. No |
Scenario |
Settings |
Result |
Comment |
|
|
1
|
To set primary proxy address different than Target Address for a Mail-enabled account. |
i. |
- Auto Generate Email Address is True.
- Operation Type is ADD-DELETE.
-Add the Target Address as secondary proxy address by prefixing it with smtp.
-Add the new proxy address to be set as primary with prefix SMTP. |
- On exchange 2010 the new proxy address will be set as primary proxy address and the Target Address will be set as secondary proxy address. - On Exchange 2007 the requested Primary SMTP address is not added as primary SMTP proxy address. The request will fail. |
When Auto Generate Email Address is True, setting a primary proxy address different than Target Address is possible only on Exchange 2010.
We cannot set new primary proxy address with REPLACE operation type
|
|
ii. |
- Auto Generate Email Address is False.
-Operation Type can be ADD-DELETE or REPLACE.
-Specify the new proxy address to be set as primary with prefix SMTP.
-No need to set Target Address as secondary proxy address. |
The new proxy address will be set as primary proxy address. |
When Auto Generate Email Address is False we can set new primary proxy address using an ADD operation Type, but any modifications to this value can be done only with a REPLACE operation type. |
||
|
2 |
To modify primary Proxy Address for a mailbox enabled account |
i. |
- Auto generate Email Address is set to TRUE.
-Operation Type is ADD-DELETE or REPLACE.
-Modify the primary proxy Address to new proxy address with prefix SMTP |
-On Exchange 2007 the requested Primary SMTP is not added by Exchange Server. So the adapter will fail the request. -On Exchange 2010 the requested Primary SMTP address is added as secondary proxy address |
-When Auto Generate Email address is True then adapter will not update Primary SMTP address. But if the request contains a primary SMTP address which is same as generated on Active Directory then adapter will ignore this and will return success -For a mailbox-enabled Exchange generates a primary proxy address using the Alias value. |
|
ii. |
-Auto generate Email Address is set to False.
-Operation Type is ADD-DELETE.
-Add a new proxy address with prefix SMTP.
|
When Auto Generate Email address is False then adapter will set the Primary SMTP proxy address to the one which is specified in the request. |
The previous Primary SMTP proxy address becomes secondary proxy address by exchange Server. |
||
|
|
|
iii. |
-Auto generate Email Address is set to False.
-Operation Type is REPALCE.
-Add a new proxy address with prefix SMTP. You can also specify other proxy address values. |
When Auto Generate Email address is False then adapter will set the Primary SMTP proxy address to the one which is specified in the request along with the other values. |
The adapter will clear the old values before setting new values. |
|
3 |
To set Secondary SMTP Proxy address. |
i. |
- Auto generate Email Address is set to True or False. - Account type is Mailbox-enabled or Mail-enabled. -Operation Type is ADD-DELETE -Specify the Proxy Address value with prefix “smtp:“ Example: smtp:Thomas2@ibm.com |
Adapter will add the requested proxy address as secondary. |
If the requested value is already present on Active Directory then adapter will ignore the value and will return success. |
|
|
|
ii. |
- Auto generate Email Address is set to True - Account type is Mailbox-enabled. -Operation Type is REPLACE -Specify the Proxy Address value with prefix “smtp:“ Example: smtp:Thomas2@ibm.com NOTE: You must specify Primary SMTP address with this request. |
Adapter will first set Primary SMTP address specified in the request and then will add the requested proxy address as secondary. If no Primary SMTP address is specified then adapter will fail the whole operation and will not update any value.
(This is applicable only for Exchange 2010) |
The adapter will clear the old values before setting new values.
-On Exchange 2007 the Primary SMTP address specified in the request is not added by Exchange Server. So the adapter will fail the request. Note: -For Mailbox enabled account on Exchange 2010 the requested Primary SMTP address is added as secondary proxy address. |
|
|
|
iii. |
- Auto generate Email Address is set to True - Account type is Mail-enabled. -Operation Type is REPLACE -Specify the Proxy Address value with prefix “smtp:“ Example: smtp:Thomas2@ibm.com NOTE: You must specify Primary SMTP address with this request. |
Adapter will first set Primary SMTP address specified in the request and then will add the requested proxy address as secondary. If no Primary SMTP address is specified then adapter will fail the whole operation and will not update any value.
(This is applicable only for Exchange 2010) |
The adapter will clear the old values before setting new values.
-On Exchange 2007 the Primary SMTP address specified in the request is not added by Exchange Server. So the adapter will fail the request. Note: -For Mail enabled account on Exchange 2010 the requested Primary SMTP address is added as primary SMTP proxy address.
|
|
|
|
iv. |
- Auto generate Email Address is set to False - Account type is Mailbox-enabled or Mail-enabled. -Operation Type is REPLACE -Specify the Proxy Address value with prefix “smtp:“ Example: smtp:Thomas2@ibm.com NOTE: You must specify Primary SMTP address with this request. |
Adapter will first set Primary SMTP address specified in the request and then will add the requested proxy address as secondary. If no Primary SMTP address is specified then adapter will fail the whole operation and will not update any value.
|
The adapter will clear the old values before setting new values.
|
User Exchange attributes, erADESMTPEmail and
erADEX400Email.
erADESMTPEmail
The erADEXMTPEmail attribute holds the primary SMTP proxy address
set for an user account. When the value of this attribute is modified, the new
value will be used as the primary SMTP address.
erADEX400Email
This attribute is not managed by the adapter. If exist in a request, it will be ignored. The adapter will reconcile value(s) of this attribute.
The adapter now checks the proxy addresses set on the mailbox for a user account when it receives an add/modify request with erADEProxyAddresses attribute for that user account. Adapter will ignore proxy address values in the request if the same already exist on Active Directory for that user account. Here ignoring means that the adapter will not attempt to add that value to the existing set of proxy addresses on Active Directory. When adapter adds proxy address value(s) which already exist, then that value is failed by PowerShell cmdlet. This is done to avoid failures for proxy address value(s) which already exist on Active Directory. This will help to update the user account’s erADEProxyAddresses attribute in IBM Tivoli Identity Manager’s LDAP without running a reconciliation or user lookup.
Note:
The adapter does a case sensitive comparison on the type of the email address (SMTP:, smtp:, X400, etc.) and case insensitive comparison on the actual email address value.
For example,
SMTP:User01@ibm.com and SMTP:User01@ibm.com or SMTP:USER01@IBM.COM are considered to be same by the adapter and will be ignored.
SMTP:User01@ibm.com and smtp:User01@ibm.com will not be considered to be same.
Disable Mailbox Support for Exchange Server 2007 and Later
The adapter is enhanced to support disconnecting (disabling) mailboxes when user accounts are suspended and connecting a user account to a disconnected (disabled) mailbox. This feature is supported for exchange server 2007 and 2010.
The following new registry keys are introduced to the set of adapter registry keys:
|
Registry Key Name |
Default value |
|
DisableMailboxOnSuspend |
FALSE |
|
ReconDisconnectedMailbox |
FALSE |
Disable/Disconnect User Mailbox:
Disabling a mailbox means disconnecting a mailbox enabled user account in Active Directory from its mailbox. When the mailbox is disabled, all the user account’s exchange attributes are removed from Active Directory. The user account associated with the mailbox will remain in Active Directory but will no longer be associated with a mailbox.
Adapter uses the registry key “DisableMailboxOnSuspend" to decide if the mailbox has to be disabled or not during a suspend operation. When registry key “DisableMailboxOnSuspend" is FALSE, adapter will not disable the user’s mailbox while suspending the user account on Active Directory. When registry key “DisableMailboxOnSuspend" is TRUE, adapter will disable the user’s mailbox while suspending the user account on Active Directory.
A user’s mailbox can also be disabled\disconnected by clearing the value of Mailbox Store attribute on account form. This is already supported by the adapter and does not depend on the value of registry key “DisableMailboxOnSuspend".
Reconnect/Connect User account to a Disabled Mailbox:
A disconnected mailbox is a mailbox object in the Microsoft Exchange store that is not associated with an Active Directory user account.
To connect a user account to a disabled mailbox, the adapter needs to have information about the disabled mailbox and the user account for which to connect. There can be n number of disabled mailbox on an exchange store to which user account can be connected. The user account to which user disabled mailbox is connecting must be logon-enabled.
Adapter uses the registry key “ReconDisconnectedMailbox" during reconciliation operation. When “ReconDisconnectedMailbox" is TRUE, the adapter will return information about all the disconnected\disabled mailboxes from configured exchange servers to IBM Tivoli Identity Manager in reconciliation. On enabling this feature the adapter performance on recon will be slower. If this key is set to FALSE, adapter will not reconcile disconnected\disabled mailboxes to IBM Tivoli Identity Manager.
A new support data object class erADDisabledMB is added to Windows Active Directory profile schema. The erADAccount class now has a new attribute erADEConnectToMailbox. To connect a user account to a disabled mailbox use this attribute to select one of the disabled mailbox from the list of disabled mailboxes returned by the adapter in a reconciliation operation. This attribute is used only to provide the information required by the adapter to connect the user account to the disabled mailbox. After connecting to disabled mailbox, next when reconciliation or user lookup is performed the value of this attribute gets cleared from the account form.
The object class erADDisabledMB is supported for Adapter Based Filtering but not for Adapter Based Event Notification.
A Full Reconciliation or Support Data Reconciliation must be performed to get information about all the Disabled\Disconnected Mailboxes from each Exchange Servers in the organization.
This feature is not supported for Exchange 2003 Servers. You cannot manage disabled mailboxes on Exchange Server 2007 using Exchange Server 2010 and vice versa.
When a user mailbox is disabled all its Exchange properties are removed from the user account on Active Directory and the mailbox is marked in the database for removal. When a mailbox enabled user account is removed (deleted) from Active Directory, the mailbox will be marked in exchange database for removal.
Deleted\Disabled (Disconnected) mailbox remains in exchange database for configured number of days (Default is 30 days). This configuration can be changed through Exchange Admin Console. When you create a mailbox for a new or existing user, the Exchange attributes that are required for a mailbox are added to the user object in Active Directory. When we connect a disabled mailbox to an existing Active Directory user account, that user account becomes the owner of the mailbox and has full access to any content within the mailbox.
Note:
· Adapter does not have a feature to delete a mailbox. When an account is deleted its mailbox is not deleted but the mailbox is flagged as disconnected by Exchange Server. When a mailbox enabled user account is suspended, the adapter disable the user’s mailbox but does not permanently delete the mailbox from the Exchange server but it is flagged as disconnected by the Exchange server. By default, the Exchange server preserves the disabled mailbox for a specific duration. An administrator can configure this duration.
· By default all the deleted/disabled mailboxes stay in the mailbox store for 30 (thirty) days. This value can be set at mailbox store level.
Following are the steps to modify this value directly on Exchange Server:
1. Open Exchange Management Console
2. Expand Server Configuration
3. Click on Mailbox
4. Select your server in the Mailbox Pane
5. Select the <Mailbox> you want to configure and click on the Properties of selected Mailbox Database.
6. Set value Under Mailbox Database Properties->Limits->Keep deleted mailboxes for (days)->30
Please note that mailbox with no mails will not be moved to Disconnected mailbox. They are completely deleted from database when disconnected.
· Disabled mailbox can be of type user mailbox or resource mailbox on the exchange server. To differentiate user disabled mailbox and resource disabled mailbox, a new attribute “erADEMailboxType" of object class “erADDisabledMB" is added. One must customize the filter value used by attribute erADEConnectToMailbox to display only user disabled mailbox on account form. If you reconnect\connect a user account to a resource disabled mailbox then that mailbox will be connected and converted as a user mailbox by the adapter.
· The associated mailbox object in the Exchange mailbox database is not created until the mailbox either receives a message or the user logs on to it. If you create a new mailbox, and then remove or disable that mailbox before the mailbox object in the Exchange mailbox database is created, then it will not be available as a disconnected mailbox.
· One should reapply mailbox folder policy and other mailbox related attributes after connecting a mailbox. As these exchange attributes are reset when mailbox is re-attached. If mailbox is disconnected all its mailbox policy with other exchange attributes are removed from Active Directory (Excluding Mailbox permissions).
Under normal circumstances all the deleted\disabled mailboxes are available under Disconnected-mailbox panel, but when a mailbox is disabled by external means other than the Disable-Mailbox cmdlet or Remove-Mailbox cmdlet or if mailbox is disabled by Windows AD adapter and the Exchange Information Store service was stopped, then it is possible that these mailboxes will not appear in the disconnected mailbox panel. In this scenario “Clean-MailboxDatabase" cmdlet should be used through Exchange Management Shell to scan for these disconnected mailboxes.
For more detail on Clean-MailboxDatabase, please follow the Microsoft link:
http://technet.microsoft.com/en-us/library/bb124076.aspx
The following table will list the various combinations to modify the mail status of a user account. For more information about changing the status of user account, see "Modifying the mail status of a user account" in Active Directory Adapter User Guide.
|
Current Status of User Account |
What to Perform |
How to Perform |
|
When a user account is Mailbox-enabled |
Modifying the mail status of a user account from Mailbox-enabled to Mail-enabled |
To modify a Mailbox-enabled user account to a Mail-enabled user account, you must clear the value for the Mailbox Store attribute on the Active Directory account form and specify a value for the Target Address attribute on the Active Directory account form |
|
When a user account is Mailbox-enabled |
Disable the existing user mailbox and connect to a disconnected mailbox |
To modify a Mailbox-enabled user account to connect to a disconnected mailbox, you must clear the value for the Mailbox Store attribute on the Active Directory account form and specify a value for the Connect To Mailbox attribute on the Active Directory account form. This operation will disable the existing mailbox and will connect the user to disconnected mailbox specified in the operation. NOTE: When you clear the mailbox store attribute the user mailbox is not deleted but it is disabled and flagged as disconnected mailbox. |
|
When a user account is Mailbox-enabled |
Move existing user mailbox to a new Mailbox Store. |
For a mailbox-enabled user account, if you specify a new value of Mailbox Store attribute then that user mailbox is moved to the new mailbox store specified in the operation. |
|
When a user account is Mailbox-enabled |
Disable the existing user mailbox and create new mailbox for the same user |
You cannot perform this operation in a single request. To achieve this operation follow the steps listed below: 1. Perform modify operation and clear the value for the Mailbox Store attribute on the Active Directory account form. 2. After you successfully clear the mailbox store attribute, Perform the second modify operation and specify a value for the Mailbox Store attribute on the Active Directory account form for the same user. You can also specify the value of Alias attribute with other exchange attributes. NOTE: When you clear the mailbox store attribute the user mailbox is not deleted but it is disabled and flagged as disconnected mailbox. |
|
When a user account is Mailbox-enabled |
Disconnect\Disable user mailbox |
Perform a modify operation and clear the value for the Mailbox Store attribute on the Active Directory account form. NOTE: When you clear the mailbox store attribute the user mailbox is not deleted but it is disabled and flagged as disconnected mailbox |
|
When a user account is Mail-enabled |
Modifying the mail status of a user account from Mail-enabled to Mailbox-enabled |
To modify a Mail-enabled user account to a Mailbox-enabled user account, you must clear the value for the Target Address attribute on the Active Directory account form and specify a value for the Mailbox Store attribute on the Active Directory account form. |
|
When a user account is Mail-enabled |
Disable the existing Mail-enabled user and connect to disconnected mailbox |
To modify a Mail-enabled user account to connect to a disconnected mailbox, you must clear the value for the Target Address attribute on the Active Directory account form and specify a value for the Connect To Mailbox attribute on the Active Directory account form. This operation will disable the mail-enabled user account and will connect the user to disconnected mailbox specified in the operation. |
Configuration required for using this feature, modify the profile using one of the following procedures:
Procedure 01:
1) Set the adapter registry key “ReconDisconnectedMailbox" to TRUE using agentCfg utility.
2) Modify the erADAccount.xml file of ADprofile.jar and import the new profile on IBM Tivoli Identity Manager.
a) Copy the ADprofile.jar file to a temporary directory, example C:\Temp.
b) Extract the contents of ADprofile.jar file into the temporary directory by running the following command:
cd C:\Temp
jar -xvf ADprofile.jar
The jar command creates the C:\Temp\ADprofile directory, which has all the profile files.
c) From the extracted ADprofile directory, open the erADAccount.xml file in a Text editor and make the following modifications and save the file:
Add the following as a new account form element in the erADAccount.xml file
<formElement direction="inherit" label="$eradeconnecttomailbox" name="data.eradeconnecttomailbox">
<searchFilter type="input">
<filter>(objectclass=eraddisabledmb)</filter>
<base>contextual</base>
<attribute>erademailboxname</attribute>
<sourceAttribute>eradembconnectinfo</sourceAttribute>
<delimiter />
<size />
<width>300</width>
<objectClass>eraddisabledmb</objectClass>
<showQueryUI>false</showQueryUI>
<paginateResults>false</paginateResults>
</searchFilter>
</formElement>
Note: The above search filter (objectclass=eraddisabledmb) will list all the disabled mailboxes available as support data including disabled Resource Mailboxes. To list only disabled User Mailboxes use the following
<formElement direction="inherit" label="$eradeconnecttomailbox" name="data.eradeconnecttomailbox">
<searchFilter type="input">
<filter('(objectclass=erADDisabledMB)(erADEMailboxType=User))</filter>
<base>contextual</base>
<attribute>erademailboxname</attribute>
<sourceAttribute>eradembconnectinfo</sourceAttribute>
<delimiter />
<size />
<width>300</width>
<objectClass>eraddisabledmb</objectClass>
<showQueryUI>false</showQueryUI>
<paginateResults>false</paginateResults>
</searchFilter>
</formElement>
d) Run the following command to create new jar file:
cd C:\Temp
jar -cvf ADprofile.jar ADprofile
Note: The directory name and profile name is case sensitive,
e) Import the new ADprofile.jar file on IBM Tivoli Identity Manager.
f) Perform a Full Reconciliation or Support Data Reconciliation.
Procedure 02:
Above configuration changes for ADprofile can also be done through IBM Tivoli Identity Manager Server (ITIM5.x) Design Form (For ITIM4.6 use “Form Customization”). To use the Design form please Perform the following steps:
a) Set the adapter registry key “ReconDisconnectedMailbox” to TRUE value using agentCfg.
b) Import the ADprofile provided with this version.
c) For IBM Tivoli Identity Manager 5.x, Go to Configure System Select “Design Form”
(For IBM Tivoli Identity Manager 4.6, Go to Configuration->Form Customization)
d) Under Account section Select “Windows AD Account” option for IBM Tivoli Identity Manager 5.x.
(For IBM Tivoli Identity Manager 4.6 Select “ADAccount”)
e) From the attribute List panel (Right-Top section), Select attribute “erADEConnectToMailbox” and add this attribute under mailbox tab or other tab as DropDownbox with SearchFilter option.
f) Provide the following values for DropDownbox List:
Search Base: Contextual
Object Class: erADDisabledMB
Attribute: erADEMailboxName
Source Attribute: erADEMBConnectInfo
Filter: (&(objectclass=erADDisabledMB)(erADEMailboxType=User))
NOTE: The above filter will show only Disconnected User Mailbox.
OR
Search Base: Contextual
Object Class: erADDisabledMB
Attribute: erADEMailboxName
Source Attribute: erADEMBConnectInfo
Filter: (objectclass=erADDisabledMB)
NOTE: The above filter will show all Disconnected Mailbox including Resource Mailbox.
g) Save the form customization.
h) Perform a Full Reconciliation or Support Data Reconciliation.
Refer to the information center or the online help for information about using Form Customization.
The above filter value can be more customized to selectively list disabled mailboxes based on mailbox type (resource or user), and exchange server. The attribute “erADEMBConnectInfo" of object class erADDisabledMB contains the MailboxGuid with Mailbox Database (With Exchange server) for a disconnected mailbox. If we have an Exchange Server say “ExchangeServer01” then we can customize filter value as shown in the below examples.
Example 01:
To display all disconnected user mailbox from Exchange Server “ExchangeServer01”.
(&(&(objectclass=erADDisabledMB)(erADEMailboxType=User))(erADEMBConnectInfo=* ExchangeServer01*))
Example 02:
To display all disconnected mailbox including resource mailbox from Exchange Server “ExchangeServer01”.
(&(objectclass=erADDisabledMB)(erADEMBConnectInfo=* ExchangeServer01*))
Example 03:
To display all disconnected mailbox including resource mailbox from all configured exchange server excluding Exchange Server “ExchangeServer01”.
(&(objectclass=erADDisabledMB)(!(erADEMBConnectInfo=* ExchangeServer01*)))
This error is misleading in that it is normally caused by a lack of permissions by the adapter logon account and not due to a "provisioning provider" not being installed. In order to provision mailboxes to Exchange 2010, the logon account needs to be a member of the appropriate security groups. Since each AD install is different ( single domain, multiple domains, sub domains, etc ), and groups can be customized ( added to other groups ), it is not possible to provide a definitive list of group memberships required by the adapter logon account. Our experience has shown that membership in the following Exchange groups is sufficient to allow the adapter to provision mailboxes:
Recipient Management
Organization Management
Exchange windows Permissions
In addition, membership in the Domain Admins group is required to provision accounts.
If the adapter logon account is a member of these groups and you still get this error, adding membership to Enterprise Admins can determine if the problem is due to permissions. If this resolves the issue, refer to Microsoft documentation or trial and error to determine which group memberships are needed.
Adapter is enhanced to support DNWithBinary syntax for extended attribute.
With this enhancement adapter is now able to perform add, delete, modify, recon operations on the extended attributes of type DNWithBinary.
Note:
1) Adapter based filtering is not supported for syntax DNWithBinary for extended attribute.
2) Adapter based event notification has some limitations for syntax DNWithBinary. Refer Known Issues section.
The DNWithBinary attribute store values in following format in Active Directory:
B :< char count> :< binary value> :< object DN>
Here "<char count>" is the number of hexadecimal digits in "<binary value>"
"<binary value>" is the hexadecimal representation of the binary value and
"<object DN>" is a distinguished name of existing user object.
To set the extended attributes of type DNWithBinary on Active Directory you need to specify the value of attribute only in the above given format.
Example:
§ If you need to set the attribute msRTCSIP-UserPolicy, value could be:
B:8:01000000:CN={FCE1E52A-59D1-4FBB-9CB5-2679247F7943},CN=Policies,CN=RTC
Service,CN=Services,CN=Configuration,DC=evaluation,DC=test
§ If you need to set the attribute otherWellknowObjects, value could be:
B:32:df447b5eaa5b11d28d5300c04f79ab81:CN=User01,OU=Testorg,DC=pwdtest,DC=COM
Adapter will check for the validity of formats specified for extended attributes of type DNWithBinary.
In Active Directory each User/Group object has a 'mail' attribute to store single e-mail address.
With Exchange 2003/2007/2010 this property points to the primary SMTP address of that object.
When the object is first mail- or mailbox-enabled, the "mail" attribute is set to the primary SMTP proxy address. The primary SMTP address itself is stored in the proxy Addresses field as part of the e-mail address list. If the value of primary SMTP proxy address is modified, then the "mail" attribute (E-mail address) is replaced with the new value of primary SMTP proxy address.
On Exchange 2003, If the value of “mail" attribute (E-mail address) is modified; the primary SMTP proxy is replaced with the new value of "mail" attribute (E-mail address). On Exchange 2007 or 2010 changing the value of “mail" attribute (E-mail address) does not have any effect on primary SMTP proxy address.
Proxy addresses are generated by Recipient Update Service. The value of 'mail' attribute corresponds to the primary SMTP proxy address. If a mail or mailbox enabled account is enabled then the old value of mail attribute gets cleared and is set with the new value of primary SMTP address.
On Exchange 2003 if a mail or mailbox enabled account is disabled then value of mail attribute gets cleared. On Exchange 2007 or 2010 this value is not cleared if mail or mailbox account is disabled.
NOTE: It is recommended to have same value of primary SMTP proxy address and mail attribute in Active Directory to avoid unexpected behavior.
Please refer the section describing the 'mail' attribute in following MS links
http://support.microsoft.com/kb/275636
With this release Windows Active Directory adapter is able to manage the Exchange Unified Messaging setup on Active Directory account with Exchange 2010/2007 environment with the ITIM Active Directory Adapter.
Only MailBox enabled user is able to use the feature of Unified Messaging. When you enable a user for Unified Messaging (UM), a default set of UM properties are applied to the user, and the user will be able to use the Unified Messaging features.
The procedure to enable User’s mailbox for Unified Messaging using IBM Tivoli Identity Manager is as follows:
Prerequisites while enabling user for Unified Messaging:
· A UM dial plan has been created. To create dial plan please see the following link http://technet.microsoft.com/en-us/library/bb123819.aspx
· A UM mailbox policy has been created. To create mailbox policy please see the following link http://technet.microsoft.com/en-us/library/bb123510.aspx
Note: Creating, modifying Dial Plan, UM Mailbox Policy is out of the scope of the Windows Active Directory Adapter.
To support for Unified Messaging there are two attributes are added on ITIM under MailBox tab
· Unified MessagingMailbox Policy having dropdown search box (single valued)
· UM Addresses (Extensions) having Editable Text List (Multivalued)
Enable/Disable Unified Messaging:
To enable MailBox enabled user for Unified Messaging we have to specify the value of UM Mailbox Policy and UM Addresses (Extensions).
We can specify UM Mailbox Policy value from dropdown search box (its single valued attribute)
We can specify UM Addresses (Extensions) by adding it in editable text list (its multi valued attribute).
For example:
UM MailBox policy can be like this “CN=TestPolicy,CN=UM Mailbox Policies,CN=Exchange First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=orion,DC=com”
§ While enabling Unified Messaging, UM Addresses (Extensions) should be “12345” or “123we6”. It should not contain any special characters. Special characters are not allowed
in UM Addresses (Extensions) while enabling user for Unified Messaging.
Note:
§ The given UM Addresses (Extensions) must contain number of digits that are mentioned in
specified UM Mailbox Policy’s Dial Plan.
§ After enabling user’s mailbox for UM, perform full recon or that user should be reconciled
to set the formatted values of UM Addresses(Extensions) on TIM.
To disable user’s MailBox for Unified Messaging we have to clear the value of UM Mailbox Policy on ITIM.
Note:
After disabling user’s mailbox for UM, full recon or that user should be reconciled to clear the
values of UM Addresses(Extensions)on ITIM or we can delete those values from ITIM by
performing delete operation for those values
Modifying Unified Messaging:
To modify UM Addresses (Extensions) value we need to provide the value in specific format as API accepts the value of UM Addresses (Extensions) only in below format.
Format– eum:<extension number>;phone-context:<Dial plan name for the given extension number>
For example- eum:12345;phone-context:Mydialplan.newport.cm.ibm.com
EUM:67890;phone-context:Mydialplan.newport.cm.ibm.com
Here prefix “eum” indicates its secondary UM Addresses (Extensions) and prefix “EUM” indicates it’s primary UM Address (Extensions).
Note:
· User must specify the value of Extensions in the UM Addresses (Extensions) attribute on ITIM. It should not specify in the Proxy Address attribute.
· After modifying the values of UM Addresses (Extensions). Full recon or lookup for that user should be performed to retrieve value of UM Addresses (Extensions) in Proxy addresses on ITIM.
àUnified Messaging Policy can be modified only if the selected new policy belongs to the same Dial Plan.
Consider the following cases while modifying the Unified Messaging Feature:
· While Enabling/Disabling/Modifying Unified Messaging feature on Exchange 2007 Windows Active Directory Adapter service must be running under Administrator Account
· Before modifying Unified Messaging Feature, it should be insured that User’s MailBox must be enabled for Unified Messaging.
· Windows Active Directory Adapter will fail Unified Messaging attributes, if in a single request user is disabling MailBox and Modifying Unified Messaging Feature. In this case adapter will fail Unified Messaging attributes those having ADD/MODIFY operation type however return success for the Unified Messaging attributes having operation type DELETE.
With this release Windows Active Directory Adapter is able to create default MailBox for user on Exchange 2010 using the default feature of Exchange 2010 if Store is not present.
On Exchange 2010, Windows Active Directory Adapter will create default mailbox for user if user specify any exchange attribute other than Target Address, ConnectToMailBox and MailBox Store attribute on ITIM .However on Exchange2007 it will not create default mailbox and Windows Active Directory Adapter will fail the other specified Exchange attributes with error message.
Note: After creating default mailbox, Full recon or that user should be reconciled to view the value of default MailBox on ITIM under MailBox Store attribute
Windows Active Directory Adapter will create Default MailBox on Exchange 2010 for user in the following cases:
· While creating user:
While creating user if any exchange attribute is specified in the request other than Target Address, ConnectToMailBox and MailBox Store attribute Windows Active Directory Adapter will create default mailbox for user.
· While Modifying user:
If user does not have MailBox, and while modifying user if any exchange attributes is specified other than Target Address, ConnectToMailBox and MailBox Store attribute with ADD/DELETE or MODIFY operations Active Directory Adapter will create default mailbox for user.
If user does not have MailBox, and while modifying user if any exchange attributes is specified other than Target Address, ConnectToMailBox and MailBox Store attribute with only DELETE operation type then adapter will not create default mailbox for user.
The Lync interface uses a remote powershell session with the Lync server to manage Lync attributes. This means that it is not necessary to install the Lync management tools on the machine that is running the adapter. However, it does require that the machine running the adapter has Powershell 2.0 and the Execution Policy allows local scripts to be run ( RemoteSigned or Unrestricted ).
Running under an account with sufficient authority, the adapter supports Lync 2010/2013.
Adapter configuration
On the computer where the adapter is running, you must to install the CA certificate of the Lync server in the trust store for the adapter service account. To do this:
1. Run mmc.exe.
2. Add the certificate snap-in
3. Select Service Account, click next
4. Select Local computer, click next
5. Select "Tivoli Active Directory Adapter", click next
6. Right Click on Trusted Root Certification Authorities and select "All Tasks\Import..."
7. Select the CA certificate file and import to the trust store.
8. Restart the adapter service.
Some limitation to create account on Lync 2010 / 2013
e.g. sip:abc@test.com
e.g. tel:+9122222
The next table lists the account form attributes that the adapter uses.
|
Directory server attributes
|
Description |
Data type |
|
erADLyncSipAdr |
Specifies Sip address of the user |
String |
|
erADLyncenable |
Specifies whether the Lync account is enabled or not for a user |
Boolean |
|
erADLyncRegpool |
Specifies which registrar pool user is assigned to. |
String |
|
erADLyncTelephony |
Sets the Telephony for the user. 1 PC to PC only 2 Audio/video disabled 3 Enterprise voice 4 Remote call control 5 Remote call control only |
Integer |
|
erADLyncLineUri |
Specifies telephone number of user |
String |
|
erADLyncLineSerUri |
Specifies line server uri of user |
String |
|
erADLyncConfPolicy |
Specifies the features and capabilities that can be used in a conference. |
String |
|
erADLyncCvPolicy |
Specifies policy name which contains information about which client version will be able to connect to the Lync Server and even do updates if it is a Lync Client. |
String |
|
erADLyncPnPolicy |
Using this policy the administrator can control PIN (Personal Identification Number) which can be used instead of username and password when PIN authentication is enabled. |
String |
|
erADLyncExacPolicy |
This policy allows an administrator to control if a specific user can communicate with federated organizations, Public IM providers, access the Lync infrastructure from an external source without VPN. |
String |
|
erADLyncArchpolicy |
This policy allows the administrator to control the archiving perspective of the communications where the scope can be Internal, External or even both to be stored on a SQL Database. |
String |
|
erADLyncLocPolicy |
A location policy contains the settings that define how E9-1-1 will be implemented. |
String |
|
erADLyncClntPolicy |
Specifies client related settings |
String |
|
erADLyncDialpPolicy |
Specifies dial plan policy of user |
String |
|
erADLyncVoicePolicy |
Specifies calling features that can be enabled or disabled and public switched telephone network (PSTN) usage records. |
String |
The adapter supports processing of multi valued string syntaxes extended attribute as add, delete, and replace attribute operation. This signifies whether to append, delete, or replace values in the request to/from the set of values set for the corresponding Active Directory side attribute.
Please refer to section “MR052609514 - customer wants to use the extend attribute transformed the name on itim side using the AD 5.0.5 adapter on ITIM 4.6 Server.” under “Configuration Notes” in Release Notes on how to specify extended attribute using exschema.txt file.
There can be cases where you have an extended attribute with a corresponding Active Directory side attribute which is already managed by the adapter. When a full reconciliation or user lookup is performed the values set using the extended attribute will also be returned for the attribute which is already been managed by the adapter and vice versa. This is because both these attributes corresponds to the same attribute on Active Directory.
Please refer to “Appendix B. Active Directory Adapter attributes” in User Guide for list of adapter attributes and their corresponding Active Directory side attribute name which the adapter manages.
MR0721117156 - WinAD/WinAD64 adapter: Allow support for Octet String data type in extended attributes.
The adapter now supports Octet String as an extended attribute type. It is assumed to be passed as a string value. It must have an even number of characters. There are no adapter specific errors for this attributes, but it may return windows AD error codes.
MR0204103013 - AD adapter support for DNWithBinary.
Chapter 4. Troubleshooting the Active Directory Adapter errors- > Active Directory Adapter errors
|
No. |
Error Messages |
Recommended action |
|
1 |
“Value specified is not in the proper format” |
Ensure that value format of extended attribute of type DNWithBinary is B :< char count> :< binary value> :< object DN> |
|
2 |
"Value specified for the attribute does not start with character 'B'." |
Ensure that value specified for extended attribute of type DNWithBinary is start with character ‘B’ only. |
|
3 |
"Value given after 'B:' is not correct. Expected value is the total number of Hexadecimal Digit count." |
For extended attribute of type DNWithBinary, verify that value given after B: i.e. <char count>is total number of Hexadecimal Digit count. It should not contain any alphabetical character or any special character. |
|
4 |
"Hexadecimal value does not contain the number of characters specified in the character count." |
For extended attribute of type DNWithBinary, verify that total number of hexadecimal digit count specified in the <char count > is equal to number of hexadecimal characters specified in the <binary value> |
|
5 |
"Wrong Digit in Hex String" |
For extended attribute of type DNWithBinary, verify that value given in the <binary value> contain only hexadecimal character i.e. it should contain characters 0-9 or A,B,C,D,E,F or combination of both. |
|
6 |
"value is not set on resource due to invalid constraint" |
This error occurs when the specified value for the extended attribute of type DNWithBinary violates any constraint associated with that attribute. For example, a constraint could be: 1)<object DN> in the value should be a distinguished name of existing user object 2) Maximum or minimum number of bits in the hexadecimal value. Ensure that the specified value for the attribute does not violate these constraints. |
|
7. |
“Hexadecimal value should always contain even number of characters.” |
For extended attribute of type DNWithBinary, verify that value given in the <binary value> contain only even number of hexadecimal characters. |
Chapter 4. Troubleshooting the Active Directory Adapter errors- > Active Directory Adapter errors
|
No. |
Error Messages |
Recommended action |
|
1 |
“Attribute can be set only if Mailbox is enabled for Unified Messaging. To enable Unified Messaging both values UMMailbox Policy and UM Addresses(Extensions) are required” |
Ensure that valid values of both UMMailbox Policy and UM Addresses (Extensions) are specified in the request while enabling user for Unified Messaging. |
|
2 |
“Attribute Operation Type is not supported.” |
Ensure that value specified for UM Addresses (Extensions) is not of operation type MODIFY. |
|
3 |
"Attribute cannot be set. Mailbox is Disabled for Unified Messaging." |
Ensure that request should not contain Unified Messaging attributes with operation ADD/MODIFY while disabling user’s MailBox for Unified Messaging. |
|
4 |
"Attribute cannot be set. Error occurred While trying to Disable MailBox for Unified Messaging." |
This error occur if disable Unified Messaging is failed and if request contains UM Addresses (Extensions) attribute with operation type ADD/MODIFY |
|
5 |
"Attribute cannot be delete. Error occurred While trying to Disable MailBox for Unified Messaging." |
This error occur if disable Unified Messaging is failed and if request contain UM Addresses (Extensions) attribute with operation type DELETE |
|
Group type |
Group scope |
Type and Scope of the Group that can be member |
Type and Scope of the Group that cannot be member |
|
Distribution |
Universal |
· Security Group - Universal · Security Group - Global · Distribution Group - Universal · Distribution Group - Global |
· Security Group - Domain Local · Distribution Group - Domain Local |
|
Distribution |
Global |
· Security Group - Global · Distribution Group - Global |
· Security Group - Universal · Security Group - Domain Local · Distribution Group - Universal · Distribution Group - Domain Local |
|
Distribution |
Domain Local |
All group types can be members of this group. |
|
|
Security |
Universal |
· Security Group - Universal · Security Group - Global · Distribution Group - Universal · Distribution Group - Global |
· Security Group - Domain Local · Distribution Group - Domain Local |
|
Security |
Global |
· Security Group - Global · Distribution Group - Global |
· Security Group - Universal · Security Group - Domain Local · Distribution Group - Universal · Distribution Group - Domain Local |
|
Security |
Domain Local |
All group types are allowed as members of this group. |
|
The following table lists the type and scope of group that a particular type and scope of group can/cannot be member of
|
Group type |
Group scope |
Type and Scope of the Group that this group can be member of |
Type and Scope of the Group that this group cannot be member of |
|
Distribution |
Universal |
· Security Group - Domain Local · Security Group - Universal · Distribution Group – Domain Local · Distribution Group - Universal |
· Security Group - Global · Distribution Group - Global |
|
Distribution |
Global |
This group can be member of all types and scopes of groups. |
|
|
Distribution |
Domain Local |
· Security Group - Domain Local · Distribution Group – Domain Local |
· Security Group - Global · Security Group - Universal · Distribution Group – Global · Distribution Group - Universal |
|
Security |
Universal |
· Security Group - Domain Local · Security Group - Universal · Distribution Group – Domain Local · Distribution Group - Universal |
· Security Group - Global · Distribution Group - Global |
|
Security |
Global |
This group can be member of all types and scopes of groups. |
|
|
Security |
Domain Local |
· Security Group - Domain Local · Distribution Group – Domain Local |
· Security Group - Global · Security Group - Universal · Distribution Group – Global · Distribution Group - Universal |
Enabling a user account for mail sets the Exchange attributes on the Active Directory. When you disable a user account for mail, the Active Directory clears the Exchange attributes for that user account.
To disable a user account for mail, clear the value set for the Mailbox Store attribute if it is a Mailbox-enabled user account or Target Address attribute if it is a Mail-enabled user account from the account form.
To clear the Exchange attributes on IBM Tivoli Identity Manager, perform one of the following steps:
Perform filter reconciliation.
Add all the Exchange attributes to mail status clear request by using the adapter’s provisioning policy. For example, to clear the Exchange attributes of a user account set the value of the Exchange attributes to NULL in the adapter’s provisioning policy.
When the mailbox for a user account is disabled, creating another mailbox for the same user account with the same alias creates a new mailbox. The adapter does not permanently delete the mailbox from the Exchange server. A deleted mailbox is flagged as disconnected by the Exchange server.
By default, the Exchange server preserves the deleted mailbox for a specific duration. An administrator can configure this duration.
You can connect the disconnected mailbox to a user account. The name of the mailbox is changed according to the user account name. For more information about connecting a disconnected mailbox to a user account, see the configuration notes for "Disable Mailbox Support for Exchange Server 2007 and Later" in Release Notes.
When you suspend a user account, the status of the user account on IBM Tivoli Identity Manager Server becomes inactive, and the user account becomes unavailable for use. Suspending a user account does not remove the user account from IBM Tivoli Identity Manager Server. For more information about suspending user accounts, see the IBM Tivoli Identity Manager Information Center.
When you suspend a user account from IBM Tivoli Identity Manager, the Active Directory Adapter sets the property flag ACCOUNTDISABLE of the userAccountControl attribute on the Active Directory. For more information about property flags of the userAccountControl attribute, see the Microsoft Windows
Server documentation.
When you suspend a user account from IBM Tivoli Identity Manager, the adapter also suspends the user’s mailbox (Disable\Disconnect User mailbox). The adapter suspends the user mailbox, if the user account is enabled for a mailbox and adapter registry “DisableMailboxOnSuspend” is set to TRUE. If the value of adapter registry “DisableMailboxOnSuspend” is set tot FALSE then adapter will not disable user mailbox but only suspend the user account. The suspended (Disable\Disconnected) user mailbox can be reconnected again through IBM Tivoli Identity Manager Server account form. For more information about Disable mailbox, see the configuration notes for "Disable Mailbox Support for Exchange Server 2007 and Later" in Release Notes.
Use the deprovision feature of IBM Tivoli Identity Manager to delete user accounts. For more information about deleting user accounts, see the IBM Tivoli Identity Manager Information Center.
When you deprovision a user account from IBM Tivoli Identity Manager, the Active Directory Adapter:
· Deletes the user account from the Active Directory.
· Disable the mailbox of the user account from the Exchange server, if the user account is enabled for a mailbox.
· Removes the membership of the user account from the groups that the user account is a member of.
· Deletes the home directory of the user account, if the value of the delUNCHomeDirOnDeprovision registry is TRUE.
· Deletes the profile of the user account, if the value of the delRoamingProfileOnDeprovision is TRUE.
· Deletes the WTS home directory of the user account, if the values of the delUNCHomeDirOnDeprovision and the WtsEnabled registry keys are TRUE.
· Deletes the WTS profile of the user account, if the values of the delRoamingProfileOnDeprovision and the WtsEnabled registry keys are TRUE.
Note: The Active Directory Adapter does not support the deletion of local home directories and user Mailbox.
There can be two types of Active Directory user accounts:
Mail-enabled
An account that has an e-mail address associated with it, but has no mailbox on the Exchange server.
A mail-enabled user can send and receive e-mail using another messaging system. If you send messages to a mail-enabled user account, then these messages pass through the Exchange server, and are forwarded to an external e-mail ID of that user account. For example, Thomas is an employee of company1, with a mailbox on the Exchange server of company1, and an e-mail ID thomas1@company1.com. Company2 takes over company1. The employees of company1 have mail-enabled user accounts in the domain of company2. The new e-mail ID of Thomas is thomas1@company2.com.
Therefore, Thomas can send and receive mail with the new e-mail ID, but the mailbox for Thomas is not on the Exchange server of company2. It is on the Exchange server of company1.
Mailbox-enabled
An account that has a mailbox on the Exchange server. A mailbox-enabled user can send and receive messages, and store messages on the Exchange server mailboxes.
To create a mail-enabled user account, you must specify a value for the Target Address attribute on the Active Directory account form.
To create a mailbox-enabled user account on Exchange 2007, you must specify a value for the Mailbox Store attribute on the Active Directory account form.
To create a mailbox-enabled user account on Exchange 2010, it is optionally required to specify a value for the Mailbox Store attribute on the Active Directory account form however if the value is not specified Windows Active Directory Adapter will use Default MailBox Feature of Exchange 2010 and it will create Default MailBox for that User. After creating Default MailBox, it is necessary to perform user lookup to view the value of Default MailBox on ITIM under MailBox Store attribute.
You can also create a mailbox-enabled user account by connecting the disconnected mailbox to a user account. The name of the mailbox is changed according to the user account name. For more information about connecting a disconnected mailbox to a user account, see the configuration notes for "Disable Mailbox Support for Exchange Server 2007 and Later" in Release Notes.
Note: The 64-bit adapter cannot create mailboxes on Exchange 2003 servers. The adapter can move Exchange 2007 mailboxes to Exchange 2003 servers so that Exchange 2003 mailbox stores are available as supporting data when selecting a mailbox store on the Active Directory account form. However, you cannot use Exchange 2003 mailbox stores when creating a new mailbox.
The Exchange server uses the value of the Alias attribute to generate an e-mail ID for a user account. If you do not specify a value for the Alias attribute, the Exchange server uses the value of the User Principal Name attribute as the default alias. For example, for a user account thomas with the user principal name thomasd@ibm.com, the Exchange server uses the value thomasd as the alias. If the value of the Alias attribute of another user account matches an existing alias, then the Exchange server appends a number to the e-mail ID of the other user account. For example, a user account Thomas with alias thomas1 exists on the Active Directory. The e-mail ID of Thomas is thomas1@ibm.com. If you create another user account Nancy with alias thomas1, then the Exchange server generates the e-mail ID thomas12@ibm.com for Nancy.
Note: If you specify both the attributes, Mailbox Store and Target Address, then the Active Directory Adapter gives an error.
The "Force Password Change" check box is documented incorrectly in section "Specifying controls for a user account" of the User Guide.
It should be as follow: "If you select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to 0. If you do not select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to -1".
Under the section “Adding search attributes for event notification”, these attributes are now supported by the service interface:
erADPreferredExchangeServers
erADPreferredExchangeServersOnly
erADPreferredLyncServers
erADPreferredLyncServersOnly
These items should be added to the table of attributes
|
Directory server attribute |
Description |
Data type |
|
erADPreferredExchangeServers |
Comma separated list of Exchange server host names |
string |
|
erADPreferredExchangeServersOnly |
Flag to force using preferred servers only |
string |
|
erADPreferredLyncServers |
Comma separated list of Lync server host names |
string |
|
erADPreferredLyncServersOnly |
Flag to force using preferred servers only |
string |
A new option L should be included in the table of DAML protocol options.
Displays the following prompt:
Modify Property ‘DISABLE_SSLV3’:
SSLv3 is now considered an unsecure protocol. SSLv3 is now disabled by default. In order to enable SSLv3 you need to set this value to FALSE. If this value does not exist or is anything other than FALSE, the SSLv3 protocol will be disabled when using SSL.
The section “Modifying protocol configuration settings” should add this section for setting the SSL cipher list.
Setting the Cipher list
The DAML protocol now checks for an environment variable called "ISIM_ADAPTER_CIPHER_LIST". This variable can contain a list of ciphers for the SSL protocol. DAML uses the openSSL library to support SSL. This cipher string is passed to openSSL during initialization. The cipher names and the syntax can be found on the openSSL web site ( https://www.openssl.org/docs/apps/ciphers.html ). When this string is used, it only fails if none of the ciphers can be loaded. It is considered successful if at least one of the ciphers is loaded.
The Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
Note: This adapter supports customization both through the use of pre-Exec and post-Exec scripting and schema extensions using the extshema.txt file.
Tivoli Identity Manager Resources:
Check the “Learn” section of the Tivoli Identity Manager Support web site for links to training, publications, and demos.
The integration to the Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The adapter uses a remote powershell session to communicate with Exchange and Lync servers. This code runs as a pair COM servers in the .NET environment. As such they do not have access to the adapter logging functions. However, there are messages that are output to the console. In order to see these log messages, you must run the adapter in console mode. This is done by running the adapter directly from the command line and specifying –console as a command line option. This causes all of the adapter logging as well as any output from the Exchange and Lync modules to be output to the console. To capture the logging to a file, simply redirect the output of the adapter to a file. For example:
>ADAgent.exe –console > adagent.log
The adapter uses remote powershell sessions to manage Exchange servers. If the adapter has issues connecting to the servers, you can manually run the powershell cmdlets that the adapter uses to troubleshoot the connection errors.
Use this command to create a new session on the remote server. Replace <hostAddr> with the actual hostname or IP of the Exchange server.
PS>$mySession = New-PSSession -configurationname Microsoft.Exchange -connectionuri http://<hostAddr>/Powershell -authentication Kerberos
Use this command to import the remote session into your local session. If this is successful, you should be able to run any Exchange cmdlets as if you were on the Exchange server.
PS>import-pssession $mySession
The IBM Tivoli Identity Manager Adapter is built and tested on the following product versions.
Adapter Installation Platform:
Windows 2008 Standard Edition 64-bit
Windows 2008 Enterprise Edition 64-bit
Windows 2008 R2 Enterprise Edition 64-bit
Windows 2008 R2 Core Enterprise 64-bit
Windows Server 2012
Windows Server 2012 R2
Managed Resource:
Active Directory on Windows 2008 Standard or Enterprise Edition 64-bit OS
Active Directory on Windows 2008 R2 Core Enterprise Edition 64-bit OS
Active Directory on Windows 2008 R2 Enterprise Edition 64-bit OS
Active Directory on Windows Server 2012
Active Directory on Windows Server 2012 R2
With optional:
Exchange Server 2010
Exchange Server 2013
Exchange Server 2016
Lync server 2010
Lync server 2013
Skype For Business 2015
NOTE: Support for Exchange and Lync are provided via .NET modules. They require .NET 2.0 support to run. This is not supported by .NET version 4.0. You need .NET 3.5 or earlier
IBM Tivoli Identity Manager:
Identity Manager v5.1
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
Tivoli
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Other company, product, and service names may be trademarks or service marks of others.
End of Release Notes