Tioli Identity Manager Version 5 Actie Directory Adapter Users Guide SC23-6176-00
Tioli Identity Manager Version 5 Actie Directory Adapter Users Guide SC23-6176-00
Note Before using this information and the product it supports, read the information in Appendix F, Notices, on page 57. This edition applies to ersion 5 of this adapter and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2007. All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Preface About this book This users guide proides information that you need to manage user accounts on the Actie Directory using the IBM Tioli Identity Manager. This book describes user account management tasks, such as reconciliation, add, modify, suspend, restore, delete, and password change. Intended audience for this book This book is intended for the Actie Directory administrators responsible for managing user accounts on the Actie Directory serer. Readers are expected to understand the account management tasks in Tioli Identity Manager. Readers must also be familiar with the routine security administration tasks and operating system concepts. Publications and related information This section lists publications in the Actie Directory Adapter library and related documents. The section also describes how to access Tioli publications online and how to order Tioli publications. Read the descriptions of the Tioli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite product publications on page and the Related publications on page i. After you determine the publications you need, refer to the instructions in Accessing publications online on page ii. Tioli Identity Manager library The publications in the technical documentation library for your product are organized into the following categories: Release information Online user assistance Serer installation and configuration Problem determination Technical supplements Adapter documentation Release Information: Release Notes Proides software and hardware requirements for the product, additional fix pack, and other support information. Read This First card Lists the publications for the product. Online user assistance: Proides online help topics and an information center for administratie tasks. Copyright IBM Corp. 2007 iii
Serer installation and configuration: Proides installation and configuration information for the product serer. Problem determination: Proides problem determination, logging, and message information for the product. Technical supplements: The following technical supplements are proided by deelopers or by other groups who are interested in this product: Performance and tuning information Proides information needed to tune your production enironment, aailable on the Web at: http://publib.boulder.ibm.com/tiidd/td/tdprodlist.html Click the I character in the A-Z product list to locate Tioli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. Redbooks and white papers are aailable on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTioliIdentityManager.html Naigate to the Self Help section, in the Learn category, and click the Redbooks link. Technotes are aailable on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ Field guides are aailable on the Web at: http://www.ibm.com/software/sysmgmt/products/support/field_guides.html For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks Web address: http://www.ibm.com/deeloperworks/ Adapter documentation: The technical documentation library also includes a set of platform-specific documents for the adapter components of the product. Adapter information is aailable on the Web at: http://publib.boulder.ibm.com/tiidd/td/tdprodlist.html Click the I character in the A-Z product list to locate IBM Tioli Identity Manager products. Click the link for your product, and then browse the information center for the adapter information that you want. Skills and training: The following additional skills and technical training information were aailable at the time that this manual was published: Virtual Skills Center for Tioli Software on the Web at: http://www.cgselearning.com/tioliskills/ Tioli Education Software Training Roadmaps on the Web at: i IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
http://www.ibm.com/software/tioli/education/eduroad_prod.html Tioli Technical Exchange on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html Prerequisite product publications To use the information in this book effectiely, you must hae knowledge of the products that are prerequisites for your product. Publications are aailable from the following locations: Actie Directory Microsoft Windows 2000 Serer running Actie Directory http://www.microsoft.com/windows2000/en/serer/help/ Microsoft Windows 2003 Serer running Actie Directory http://www.microsoft.com/resources/documentation/ WindowsSer/2003/standard/proddocs/en-us/default.asp Microsoft Windows XP Serer running Actie Directory http://www.microsoft.com/resources/documentation/ Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/ Windows/XP/all/reskit/en-us/prcf_omn_gjj.asp Operating systems z/os http://www-1.ibm.com/serers/eserer/zseries/zos/ IBM AIX http://publib16.boulder.ibm.com/pseries/ja_jp/infocenter/base/index.htm Solaris Operating Enironment http://docs.sun.com/app/docs/prod/solaris Red Hat Linux http://www.redhat.com/docs/ Microsoft Windows Serer 2003 http://www.microsoft.com/windowsserer2003/proddoc/default.mspx Database serers IBM DB2 Uniersal Database - Support: http://www.ibm.com/software/data/db2/udb/support.html - Information center: http://publib.boulder.ibm.com/infocenter/db2help/ index.jsp - Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/ winos2unix/support/8pubs.d2w/en_main - DB2 product family: http://www.ibm.com/software/data/db2 - Fix packs: http://www.ibm.com/software/data/db2/udb/support/ download8.html - System requirements: http://www.ibm.com/software/data/db2/udb/ sysreqs.html Oracle http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html Microsoft SQL serer Preface
http://www.msdn.com/library/ http://www.microsoft.com/sql/ Directory serer applications Related IBM Directory Serer http://publib.boulder.ibm.com/tiidd/td/ibmds/idsapinst52/ en_us/html/ldapinst.htm http://www.ibm.com/software/network/directory Sun ONE Directory Serer http://docs.sun.com/app/docs/coll/s1_directoryserer_52 WebSphere Additional information is aailable in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/ WebLogic Serer http://e-docs.bea.com/ WebSphere embedded messaging http://www.ibm.com/software/integration/wmq/ IBM HTTP Serer http://www.ibm.com/software/webserers/httpserers/library.html Web Proxy Serer IBM HTTP Serer http://www.ibm.com/software/webserers/httpserers/library.html Microsoft IIS HTTP Serer http://www.microsoft.com/technet/prodtechnol/iis/default.asp Apache HTTP Serer http://httpd.apache.org/docs-project publications Information that is related to your product is aailable in the following publications: The Tioli Software Library proides a ariety of Tioli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tioli Software Library is aailable on the Web at: http://www.ibm.com/software/tioli/literature/ The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable from the Glossary link of the Tioli Software Library Web page at: http://publib.boulder.ibm.com/tiidd/glossary/tioliglossarymst.htm Accessing terminology online The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable at the following Tioli software library Web site: http://publib.boulder.ibm.com/tiidd/glossary/tioliglossarymst.htm i IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Accessibility The IBM Terminology Web site consolidates the terminology from IBM product libraries in one conenient location. You can access the Terminology Web site at the following Web address: http://www.ibm.com/software/globalization/terminology Accessing publications online IBM posts publications for this and all other Tioli products, as they become aailable and wheneer they are updated, to the Tioli software information center Web site. Access the Tioli software information center at the following Web address: Ordering Tioli technical training http://publib.boulder.ibm.com/tiidd/td/tdprodlist.html Click the I character in the A-Z list, and then click the link for your product to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your paper. publications You can order many Tioli publications online at http:// www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi. You can also order by telephone by calling one of these numbers: In the United States: 800-879-2755 In Canada: 800-426-4968 In other countries, contact your software account representatie to order Tioli publications. To locate the telephone number of your local representatie, perform the following steps: 1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/ cgibin/pbi.cgi. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representatie. Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. For additional information, see Appendix D, Accessibility features for the Actie Directory Adapter, on page 51. For Tioli technical training information, refer to the following IBM Tioli Education Web site at http://www.ibm.com/software/tioli/education. Preface ii
Support information If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. Contacting IBM Software Support: If you still cannot sole your problem, and you need to work with someone from IBM, you can use a ariety of ways to contact IBM Software Support. For more information about these ways to resole problems, see Appendix E, Support information, on page 53. Conentions used in this book Typeface This reference uses seeral conentions for special terms and actions and for operating system-dependent commands and paths. conentions This guide uses the following typeface conentions: Bold Italic Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, attribute names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) Keywords and parameters in text Command names Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and alues you must proide Monospace Examples and code examples File names, programming keywords, and other elements that are difficult to distinguish from surrounding text Message text and prompts addressed to the user Text that the user must type Values for arguments or command options Names of object classes Operating system-dependent ariables and paths This guide uses the Windows conention for specifying enironment ariables and for directory notation. iii IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
When using the Unix command line, replace %ariable% with $ariable for enironment ariables and replace each backslash (\) with a forward slash (/) in directory paths. The names of enironment ariables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equialent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conentions. Preface ix
x IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Contents Preface............... iii About this book............. iii Intended audience for this book....... iii Publications and related information...... iii Tioli Identity Manager library....... iii Prerequisite product publications...... Related publications..........i Accessing terminology online.......i Accessing publications online....... ii Ordering publications.......... ii Accessibility.............. ii Tioli technical training.......... ii Support information........... iii Conentions used in this book........ iii Typeface conentions.......... iii Operating system-dependent ariables and paths............... iii List of tables............ xiii Chapter 1. Introduction to the Actie Directory Adapter.......... 1 Features of the Actie Directory Adapter.....1 Chapter 2. Checklist for configuring Tioli Identity Manager to run the adapter............... 3 Chapter 3. Actie Directory Adapter user account management tasks...... 5 Reconciling user accounts..........5 Attributes reconciled...........6 Attributes not reconciled.........7 Reconciling support data.........7 Reconciling the useraccountcontrol attribute..7 Filter reconciliation...........7 Adding user accounts...........12 Attributes for adding user account.....12 Creating a distinguished name for a user account 13 User principal name of a user account....14 Specifying controls for a user account....15 Creating a home directory for a user account..16 Enabling a user account for mail......17 Creating a proxy address for a user account..17 Modifying user accounts..........18 Modifying the container attribute......18 Modifying the Home Directory attribute....19 Modifying user password........22 Modifying the Mailbox Store attribute....22 Suspending user accounts.........23 Restoring user accounts..........24 Deleting user accounts...........24 Deleting a mailbox...........24 Chapter 4. Troubleshooting the Actie Directory Adapter errors....... 25 Appendix A. Country and region codes 33 Appendix B. Actie Directory Adapter attributes.............. 41 Appendix C. APIs used by the Actie Directory Adapter.......... 47 ADSI interfaces and the corresponding APIs used by the Actie Directory Adapter.......47 WIN32 APIs used by the Actie Directory Adapter 50 Appendix D. Accessibility features for the Actie Directory Adapter..... 51 Accessibility features...........51 Keyboard naigation...........51 Related accessibility information.......51 IBM and accessibility...........51 Appendix E. Support information... 53 Searching knowledge bases.........53 Search the information center on your local system or network...........53 Search the Internet...........53 Contacting IBM Software Support.......53 Determine the business impact of your problem 54 Describe your problem and gather background information.............55 Submit your problem to IBM Software Support 55 Appendix F. Notices......... 57 Trademarks..............58 Index............... 61 Copyright IBM Corp. 2007 xi
xii IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
List of tables 1. Attributes supported by the adapter for filter reconciliation..................8 2. Attributes not supported by the adapter for filter reconciliation................9 3. Objects and their corresponding object class.......................11 4. List of attributes and their default alues on the Actie Directory...............12 5. The order of attributes on the Actie Directory account form that the adapter checks to generate an RDN 13 6. Attributes on the Actie Directory account form and their corresponding property flags........15 7. Home Directory NTFS Access attribute alues and their corresponding permissions on the home directory 16 8. Troubleshooting the Actie Directory Adapter errors....................25 9. Countries and regions and their corresponding codes...................33 10. Mapping of attributes on Tioli Identity Manager to the attributes on the Actie Directory.......41 11. ADSI Interfaces and the corresponding APIs used by the Actie Directory Adapter.........47 12. WIN32 APIs used by the Actie Directory Adapter....................50 Copyright IBM Corp. 2007 xiii
xi IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Chapter 1. Introduction to the Actie Directory Adapter The Actie Directory Adapter is an application that proides connectiity between Tioli Identity Manager and the network of systems running the Actie Directory. The adapter runs as a serice, independent of whether you are logged on to Tioli Identity Manager. You can automate the following user account management tasks using the Actie Directory Adapter and Tioli Identity Manager: Adding Actie Directory user accounts Creating a home directory for a user account Modifying attributes of Actie Directory user accounts Changing passwords of Actie Directory user accounts Suspending, restoring, and deleting Actie Directory user accounts Retrieing user accounts from the Actie Directory Managing mailboxes on the Exchange serer Moing a user in the Actie Directory hierarchy Features of the Actie Directory Adapter The Actie Directory Adapter supports: Reconciliation of user accounts from the Actie Directory to the directory serer of Tioli Identity Manager. User account management tasks, such as add, modify (including password change), suspend, restore, and delete to manage accounts on the Actie Directory using Tioli Identity Manager. Management of the Exchange 2000 and the Exchange 2003 mailboxes. Customization of the Actie Directory account form. Password synchronization of different accounts of a domain user by proiding registry access to the Password Synchronization plug-in. Copyright IBM Corp. 2007 1
2 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Chapter 2. Checklist for configuring Tioli Identity Manager to run the adapter To configure the Tioli Identity Manager to run the Actie Directory Adapter, perform the following steps: 1. Install the Actie Directory Adapter. For more information, see the Actie Directory Adapter Installation and Configuration Guide and search for the section "Installing the adapter." 2. Import the Actie Directory profile into the Tioli Identity Manager. For more information, see the Actie Directory Adapter Installation and Configuration Guide and search for the section "Importing the adapter profile into the Tioli Identity Manager." 3. Create an Actie Directory serice. For more information, see the Actie Directory Adapter Installation and Configuration Guide and search for the section "Creating an Actie Directory serice." 4. Create a proisioning policy for the Actie Directory Adapter serice. For more information about adding a proisioning policy, see the Tioli Identity Manager information center. 5. Perform a reconciliation operation to retriee user accounts from the Actie Directory and store them in the Tioli Directory Serer. For more information about running a reconciliation operation, see the Tioli Identity Manager information center. 6. Adopt orphan accounts on the Tioli Identity Manager. For more information about adopting orphan accounts, see the Tioli Identity Manager information center. Copyright IBM Corp. 2007 3
4 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Chapter 3. Actie Directory Adapter user account management tasks Tioli Identity Manager manages user accounts stored on the Actie Directory using the Actie Directory Adapter. You can perform arious operations, such as reconciliation, add, modify (including password change), suspend, restore, and delete to manage your accounts. You can manage: Accounts for a specific person Accounts for a serice instance Reconciling user accounts Specific accounts using the search function of Tioli Identity Manager Before performing any operation using the adapter: 1. Ensure that you perform the steps gien in Chapter 2, Checklist for configuring Tioli Identity Manager to run the adapter, on page 3. 2. Start the Actie Directory Adapter using one of the following methods: Windows serices in serice mode a. In the Windows control panel, double-click Administratie Tools. b. Double-click Serices. c. Right-click the Tioli Actie Directory Agent serice, and click Start. Windows command prompt in console mode Go to the adapter installation directory and run the following command: adagent -console 3. Verify that the Actie Directory Adapter registry key settings are configured according to your requirements. To modify the alues of the registry keys, use the Actie Directory Adapter configuration tool, agentcfg. For more information, see the Actie Directory Adapter Installation and Configuration Guide and search for "Registry key descriptions" and "Starting the adapter configuration tool." The reconciliation operation retriees the user account information from the Actie Directory and stores it in the directory serer of Tioli Identity Manager. Reconciliation first compares the user account information on the Actie Directory with the existing user IDs on Tioli Identity Manager and then searches for an existing owner within Tioli Identity Manager. If a match exists between the user login ID and an account, Tioli Identity Manager creates an owner relationship between the person and the account. If the user login ID does not match an account, Tioli Identity Manager lists the unmatched account as an orphan account. Adopting an orphan account assigns ownership of the account to an existing person in Tioli Identity Manager. You can schedule reconciliation to run at specific times and to return specific parameters. Running a reconciliation before its scheduled time does not preent the reconciliation from running at the scheduled time. For more information about scheduling reconciliation and running a scheduled reconciliation, see the Tioli Identity Manager information center. Copyright IBM Corp. 2007 5
Attributes reconciled During reconciliation, the alue of the samaccountname attribute of the Actie Directory is returned to Tioli Identity Manager as the User Id attribute. When you perform a reconciliation, the Actie Directory Adapter returns all containers to the base point that is specified in the Actie Directory Adapter serice form. If you do not specify a base point at the time of creating an Actie Directory serice, then the adapter returns all containers to the Actie Directory. In a reconciliation operation, you can configure the adapter to return the Windows Terminal serices (WTS) attributes and the attributes that are related to the home directory security. To reconcile the WTS attributes, set the registry keys WtsDisableSearch to FALSE and WtsEnabled to TRUE. The Actie Directory Adapter retriees the following WTS attributes from the Actie Directory: Allow Logon Initial Program Inherit Initial Program Profile Path Connect Client Dries Connect Client Printers Client Printer Is Default Working Directory WTS Home Directory WTS Home Directory Drie WTS Callback Settings WTS Callback Number Idle Timeout Connection Timeout Disconnection Timeout Broken Timeout Setting Reconnect Settings Shadow Settings The default alue of the registry key WtsDisableSearch is TRUE. If you retain the default alue, then the adapter does not return the WTS attributes to Tioli Identity Manager and the reconciliation takes less time. Use the registry key ReconHomeDirSecurity to retriee the attributes that are related to the home directory security, such as NTFS security, share name, and share security from the Actie Directory. Attributes corresponding to the home directory security are: Home Directory NTFS Access Home Directory Share Home Directory Share Access WTS Home Directory NTFS Access WTS Home Directory Share 6 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
WTS Home Directory Share Access The default alue of the registry key ReconHomeDirSecurity is FALSE. If you retain the default alue, then the adapter does not retriee the attributes that are related to the home directory security and the reconciliation takes less time. To reconcile the attributes that are related to the home directory security, set the alue of the registry key ReconHomeDirSecurity to TRUE. Attributes not reconciled The Actie Directory Adapter does not return the following attributes to Tioli Identity Manager after reconciliation: User password System Call (This attribute is not supported by the Actie Directory Adapter.) WTS Serer Name Except for these attributes and the attributes that are retrieed depending on the alues of the registry keys, all other attributes are always reconciled. Reconciling support data In addition to reconciling user accounts, the Actie Directory Adapter also reconciles support data, such as groups, containers, and mailbox stores to Tioli Identity Manager. The support data is reconciled only when you perform a full reconciliation. Reconciling the useraccountcontrol attribute The user account status on Tioli Identity Manager can be either actie or inactie. During reconciliation, the Actie Directory Adapter retriees the status of a user account from the useraccountcontrol attribute on the Actie Directory. The ACCOUNTDISABLE property flag alue of the useraccountcontrol attribute determines the status of a user account. For more information about property flags of the useraccountcontrol attribute, see the Microsoft Windows Serer documentation. Filter reconciliation Filter reconciliation enables the Actie Directory Adapter to reconcile users, groups, containers, and mail stores from the Actie Directory based on the filters specified for the reconciliation. To enable the Actie Directory Adapter for filter reconciliation, set the alue of the Pass search filter to agent registry key to TRUE. To set the alue of the Pass search filter to agent registry key, use the adapter configuration tool, agentcfg. For more information about using the agentcfg tool, see the Actie Directory Adapter Installation and Configuration Guide and search for the section "Starting the adapter configuration tool." The search filter must be a Lightweight Directory Access Protocol (LDAP) ersion 2 filter. For information about specifying filters, see the Tioli Identity Manager information center. Supported attributes Table 1 on page 8 lists the attributes on the Actie Directory account form that the adapter supports for filter reconciliation. Chapter 3. Actie Directory Adapter user account management tasks 7
Table 1. Attributes supported by the adapter for filter reconciliation cn eradesmtpemail description eradestorequota eradallowdialin eradetargetaddress eradbadlogincount eradex400email eradcallbacknumber eradfax eradcountrycode eradhomedir eraddialincallback eradhomedirdrie eraddisplayname eradhomepage eradealias eradinitial eradedaysbeforegarbage eradloginscript eradeenablestoredeflts eradloginworkstations eradeextension1 eradnameprefix eradeextension10 eradnamesuffix eradeextension11 eradofficelocations eradeextension12 eradothername eradeextension13 eradpasswordforcechange eradeextension14 eradprimarygroup eradeextension15 eradupn eradeextension2 ercompany eradeextension3 erdepartment eradeextension4 erdiision eradeextension5 ermaxstorage eradeextension6 erprofile eradeextension7 eruid eradeextension8 gienname eradeextension9 homephone eradeforwardingstyle l eradeforwardto mail eradehardlimit mobile eradehidefromaddrsbk pager eradeincominglimit postalcode eradelanguages postofficebox erademployeeid sn eradeoutgoinglimit st eradeoerquotalimit street eradeoerridegarbage telephonenumber eradeproxyaddresses title eraderecipientlimit Note: The adapter supports extended attributes with the following syntax types: String Integer Boolean Examples of supported filters This section gies examples of supported filters. 8 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Example 1: To retriee user accounts that hae the alue of the employeeid attribute on the Actie Directory account form as 1, specify the filter as (erademployeeid=1). Example 2: To retriee user accounts that hae the alue of the cn attribute on the Actie Directory account form as thomas, specify the filter as (cn=thomas). Example 3: To retriee user accounts that hae the alue of the Department name attribute as ibm and the Country attribute as United States, specify the filter as (&(eraddepartment=ibm*)(eradcountrycode=840)). Non-supported attributes Table 2 lists the attributes on the Actie Directory account form that the adapter does not support for filter reconciliation. Table 2. Attributes not supported by the adapter for filter reconciliation All WTS attributes eraccountstatus eradallowencryptedpassword eradcannotbedelegated eradcontainer eraddistinguishedname eradeapplyontoallow eradeapplyontodeny eradeassociatedextacc eradeautogenemailaddrs eradechgpermissions eradedelegates eradedelmailboxstorage eradedenypermto1leel eradefullmailboxaccess eradegarbageafterbckp eradehomemdb erademailboxstore eradereadpermissions eraderstrctadrsfg eraderstrctadrsls Examples of non-supported filters eradeserername eradeshowinaddrbook eradetakeownership eradexpirationdate eradisaccountlocked eradlastfailedlogin eradlastlogoff eradlastlogon eradmanager eradnochangepassword eradpasswordlastchange eradpasswordminimumlength eradpasswordneerexpires eradpasswordrequired eradrequireuniquepassword eradsmartcardrequired eradtrustedfordelegation ergroup erlogontimes erpassword This section gies examples of non-supported filters. Example 1: Filter reconciliation of attributes not supported The adapter does not support filter reconciliation of attributes, such as manager, distinguishedname, and memberof, because the alues of these attributes are stored in the distinguished name (DN) format in the Actie Directory. Chapter 3. Actie Directory Adapter user account management tasks 9
A group, group1, exists inside the organization unit Test under the domain adlab. This domain lies inside the parent domain com that exists on the Actie Directory. The Group attribute on the Actie Directory account form is mapped to the memberof attribute of the Actie Directory. If you specify the alue of the Group attribute on the Actie Directory account form as group1, then the adapter sets the alue of the memberof attribute in the DN format as CN=group1,OU=Test,DC=adalb,DC=com. To retriee users that are members of the group, group1, specify the filter as (ergroup=group1). The adapter searches for the alue group1 in the memberof attribute. Because the alue of the memberof attribute is stored in the DN format, the adapter fails to retriee users that are members of the group, group1. Example 2: Bit-leel filtering not supported The adapter does not support bit-leel filtering. The useraccountcontrol attribute in Actie Directory is a bit-mapped alue attribute. The Actie Directory Adapter retriees the status of a user account from the useraccountcontrol attribute on the Actie Directory. The attribute is of data type integer and its alue can be zero or a combination of one or more of the property flags. For more information about the property flags of the useraccountcontrol attribute, see the Microsoft Windows Serer documentation. To reconcile status of user accounts, specify the filter as (eraccountstatus=1). Because the alue of the useraccountcontrol is a combination of one or more property flags, the adapter fails to retriee any of the user accounts. Example 3: Attribute format differences not supported The adapter does not support filter reconciliation for attributes that hae their alues stored in the Actie Directory in a different format from those displayed on the Actie Directory account form. For example, if India is specified as the country on the Actie Directory account form, the adapter sets the three digit code 356 as the alue of the countrycode attribute in the Actie Directory. The countrycode attribute on the Actie Directory is mapped to the Country attribute on the Actie Directory account form. To reconcile all objects that hae the Country attribute set to India, specify the filter as (eradcountrycode=india). The adapter searches for the alue India in the countrycode attribute. Because the alue of the country India is stored as 356 in the countrycode attribute, the adapter returns success, but does not reconcile any user accounts. For a successful reconciliation, specify the country code of India as 356 in the filter in the following format: (eradcountrycode=356) Example 4: Not format filtering leads to unexpected results A filter using the not format (!(Attribute name=value)) leads to unexpected results. Though the format of the filter is alid, and the search is successful, the adapter retriees entire sets of data for all objects for which the specified attribute is not set. For example, to retriee user accounts that hae the empoyeeid attribute not equal to 1000, specify the filter as (!(erademployeeid=1000)). The adapter retriees: All user accounts that hae the employeeid attribute not equal to 1000. All groups because the group object does not contain the employeeid attribute. 10 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
All containers because the container object does not contain the employeeid attribute. All mail stores because the mail stores object does not contain the employeeid attribute. For a successful reconciliation, specify the object class with the attribute name. Therefore, to retriee user accounts that hae employeeid attribute not equal to 1000, specify the eradaccount object class with the employeeid attribute in the following format: (&((!(erademployeeid=1000))(objectclass=eradaccount))) Table 3 lists the objects and their corresponding object class that you must specify in addition to the attribute name for a successful filter reconciliation. Table 3. Objects and their corresponding object class Object Object class Group eradgroup Container eradcontainer Mail store eradmailstore User eradaccount Chapter 3. Actie Directory Adapter user account management tasks 11
Adding user accounts Perform the add operation from Tioli Identity Manager to add user accounts to the Actie Directory. You can add user accounts for either an existing person in the organization or a new person in the organization. For more information about adding user accounts, see the Tioli Identity Manager information center. Attributes for adding user account Specify a alue for the User Id attribute to add a user account on the Actie Directory. This attribute can contain: Alphabets Unicode characters Numbers Special characters, such as #, + \ < > The User Id attribute cannot include control characters, or any other special characters other than #, + \ < >. If the User Id attribute contains non-supported characters, the Actie Directory Adapter gies an error message. The adapter stores the alue of the User Id attribute in the samaccountname attribute on the Actie Directory. Note: The User Id attribute is the only attribute that is required to add an Actie Directory account. To add a user account, if you specify only the User Id attribute on the Actie Directory account form, then the following attributes are set on the Actie Directory. Table 4. List of attributes and their default alues on the Actie Directory Attribute Default alue Set by cn Value of the User Id attribute on the Actie Directory account form. countrycode 0 If country is specified on the Actie Directory account form, then the corresponding three-digit code is set on the Actie Directory Actie Directory Adapter Actie Directory lastlogoff 0 Actie Directory lastlogon 0 Actie Directory distinguishedname cn=rdn,cn=users,domain name (if no base point is specified on the Actie Directory Adapter serice form) cn=rdn,container,base point (if base point is specified on the Actie Directory Adapter serice form) Actie Directory Adapter primarygroupid 513 Actie Directory samaccountname Value of the User Id attribute on the Actie Directory account form. Actie Directory Adapter 12 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 4. List of attributes and their default alues on the Actie Directory (continued) Attribute Default alue Set by name Value of the User Id attribute on the Actie Directory account form. Actie Directory userprincipalname UserId@domain Actie Directory Adapter badpwdcount 0 Actie Directory objectcategory CN=Person,CN=Schema, CN=Configuration,DC=domain name Actie Directory Creating a distinguished name for a user account The Actie Directory Adapter computes alues of arious attributes on the Actie Directory account form to create a distinguished name (DN) for a user account. To create a DN, the adapter: 1. Generates a Relatie Distinguished Name (RDN) for the user account. The following table lists the order in which the Actie Directory Adapter checks the alues of the attributes on the Actie Directory account form to generate an RDN. Table 5. The order of attributes on the Actie Directory account form that the adapter checks to generate an RDN Attributes on the Tioli Identity Manager RDN alue Full Name Full Name Display Name Display Name First Name First Name First Name Initial Last Name First Name Initial. Last Name Initial First Name Initial. Last Name First Name Last Name First Name First Name Last Name Last Name User Id User Id The following figure displays the decision tree for the process of generating an RDN. Chapter 3. Actie Directory Adapter user account management tasks 13
Is Full Name specified? No Yes Is Display Name specified? Generate RDN= Full Name No Yes Is First Name specified? Generate RDN= Display Name No Yes Is Last Name specified? Is Initial specified? No Yes No Yes Generate RDN= User Id Generate RDN= Last Name Is Last Name specified? Is Last Name specified? No Yes No Yes Generate RDN= First Name Generate RDN= First Name Last Name Generate RDN= First Name Initial. Generate RDN= First Name Initial. Last Name Figure 1. Decision tree for generating an RDN If the adapter finds an attribute alue, that alue is used for generating the RDN. For example, if the Full Name attribute is not found, then the adapter checks for the alue in the Display Name attribute. If a alue is found, the adapter uses the display name as the RDN; otherwise the adapter checks for the next attribute alue in the First Name attribute, and so on. User Id is the default alue of an RDN. The maximum length of an RDN is 64 characters. 2. Adds the string cn= as a prefix to the generated RDN. For example, cn=rdn. 3. Adds a container that contains the user account as a suffix to cn=rdn. The container is separated by a comma. The adapter adds the default user container cn=users as a suffix, if: You do not specify the Container attribute on the Actie Directory account form. You do not specify the Base Point DN attribute on the Actie Directory Adapter serice form. The base point that you specify on the Actie Directory Adapter serice form does not contain a container. Containers other than the Users container are represented as ou=organization unit, where organization unit is the name of the container. 4. Adds a domain name as a suffix to cn=rdn,cn=users. The domain name is separated by a comma. If a base point is specified on the Actie Directory Adapter serice form, then the domain name is the specified base point. Howeer, if no base point is specified on the Actie Directory Adapter serice form, then the adapter finds the default domain name where the adapter is running. Therefore, the distinguished name is: cn=rdn,cn=users,domain name. User principal name of a user account User principal name is an account name of a user in an e-mail address format. A user principal name consists of two parts: User identification: Contains the user log-on name Domain: Contains the domain name where the user account is located A user principal name is computed by separating these two parts by an @ symbol. For example, username@domain name. If you specify the User Principal Name attribute on the Actie Directory account form, then the adapter sets the specified alue to the userprincipalname attribute on the Actie Directory. If the User Principal Name attribute is not specified, then 14 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
the adapter uses the alue of the User Id attribute as user principal name, and appends @domain name to the user principal name. Specifying controls for a user account To specify controls for a user account, set the following attributes on the Actie Directory account form: Password Neer Expires Specifies whether a password can eer expire Password Required Specifies whether a password is required Smart Card Required Specifies whether a smart card is required for login User Cannot Change Password Specifies whether the user can change their password Allow Encrypted Password Specifies whether encrypted passwords are allowed These attributes correspond to the property flags of the useraccountcontrol attribute on the Actie Directory. The attribute names and their corresponding property flags are listed in the following table. Table 6. Attributes on the Actie Directory account form and their corresponding property flags Attribute Property flag Password Neer Expires DONT_EXPIRE_ PASSWORD Hexadecimal alue for the property flag 0x10000 65536 Password Required PASSWD_NOTREQD 0x0000 0 Smart Card Required SMARTCARD_ REQUIRED User Cannot Change Password Allow Encrypted Password PASSWD_CANT_ CHANGE ENCRYPTED_TEXT _PWD_ALLOWED 0x40000 262144 0x0040 64 0x0080 128 Decimal alue for the property flag The alue of the useraccountcontrol attribute is the sum of the alues of the property flags that are enabled. For more information about property flags of the useraccountcontrol attribute, see the Microsoft Windows Serer documentation. You can force a user account to change the password on next log on by selecting the Force Password Change check box on the PASSWORD page of the Actie Directory account form. The Actie Directory Adapter maps the Force Password Change attribute to the pwdlastset attribute on the Actie Directory. If you select the Force Password Change check box, then the adapter sets the alue of the pwdlastset attribute to -1. If you do not select the Force Password Change check box, then the adapter sets the alue of the pwdlastset attribute to 0. Chapter 3. Actie Directory Adapter user account management tasks 15
Creating a home directory for a user account Before you create a home directory for a user account, ensure that you hae: Created a shared directory on the Windows serer Proided full access rights on that shared directory to the user account under which Actie Directory Adapter is running To create a home directory for a user account, set the alue of the following registry keys to TRUE: CreateUNCHomeDirectories ManageHomeDirectories Specify the following attributes on the Actie Directory account form: Home Directory Home Directory Drie The Home Directory attribute must be in the Uniersal Naming Conention (UNC) format. UNC is a format for specifying the location of resources in a Local Area Network (LAN). UNC uses the format: \\HOME_AD_SERVER\ SHARED_DIR\HOME DIR, where: HOME_AD_SERVER is the shared serer name SHARED_DIR is the shared directory HOME DIR is the name of the home directory for the user account For example, consider a user account with the following attribute settings on the Actie Directory account form. User Id Thomas Home Directory \\H20\homedir\thomas Home Directory Drie F: Because the alues of the registry keys CreateUNCHomeDirectories and ManageHomeDirectories are TRUE, the adapter creates a UNC home directory thomas on serer H20, inside the shared directory homedir, and maps the home directory thomas with drie F. To specify permissions on the home directory for a user account, set the Home Directory NTFS Access attribute for the user on the Actie Directory account form. The following table lists the alues of the Home Directory NTFS Access attribute and their corresponding permissions on the home directory. Table 7. Home Directory NTFS Access attribute alues and their corresponding permissions on the home directory Home Directory NTFS Access attribute alue Permissions Full You hae full control oer the home directory. You can: Change permissions Take ownership Delete subfolders and files Read, write, and change files 16 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 7. Home Directory NTFS Access attribute alues and their corresponding permissions on the home directory (continued) Home Directory NTFS Access attribute alue Permissions Change You hae following controls oer files and subfolders in the home directory: Read Write Modify Enabling a user account for mail There can be two types of user accounts: Mail-enabled An Actie Directory user account that has an e-mail address associated with it, but has no mailbox on the Exchange serer. A mail-enabled user can send and receie e-mail using another messaging system. If you send messages to a mail-enabled user account, then these messages pass through the Exchange serer, and are forwarded to an external e-mail ID of that user account. For example, Thomas is an employee of company1, with a mailbox on the Exchange serer of company1, and an e-mail ID thomas1@company1.com. Company2 takes oer company1. The employees of company1 hae mail-enabled user accounts in the domain of company2. The new e-mail ID of Thomas is thomas1@company2.com. Therefore, Thomas can send and receie mail with the new e-mail ID, but the mailbox for Thomas is not on the Exchange serer of company2. It is on the Exchange serer of company1. Mailbox-enabled An Actie Directory user account that has a mailbox on the Exchange serer. A mailbox-enabled user can send and receie messages, and store messages on the Exchange serer mailboxes. To create a mail-enabled user account, you must specify the alues of the Alias and the Target Address attributes on the Actie Directory account form. To create a mailbox-enabled user account, you must specify the alues of the Alias and the Mailbox Store attributes on the Actie Directory account form. The Exchange serer uses the alue of the Alias attribute to generate an e-mail ID for a user account. If the alue of the Alias attribute of another user account matches an existing alias, then the Exchange serer appends a number to the e-mail ID of the other user account. For example, a user account Thomas with alias thomas1 exists on the Actie Directory. The e-mail ID of Thomas is thomas1@ibm.com. If you create another user account Nancy with alias thomas1, then the Exchange serer generates the e-mail ID thomas12@ibm.com for Nancy. Note: If you specify both the attributes, Mailbox Store and Target Address, then the Actie Directory Adapter gies an error. Creating a proxy address for a user account By default, the Exchange serer assigns a primary Simple Mail Transfer Protocol (SMTP) proxy address to a user account when a mailbox is created. Chapter 3. Actie Directory Adapter user account management tasks 17
Modifying user accounts To create multiple proxy addresses for a user account specify the Proxy Addresses attribute on the Actie Directory account form. The primary proxy address of an SMTP address type cannot be deleted. Note: Always specify a primary proxy address in uppercase and a secondary proxy address in lowercase. For example, a user account Thomas exists on the Actie Directory with the following alues in the Actie Directory account form. User Id Thomas Proxy Addresses SMTP:Thomas@ibm.com smtp:thomas2@ibm.com In this example, SMTP:Thomas@ibm.com is the primary SMTP proxy address, and smtp:thomas2@ibm.com is the secondary SMTP proxy address. Note: To create an X.400 proxy address for a user account, you must specify the primary SMTP proxy address. You can modify user account attributes in Tioli Identity Manager. For more information about modifying user accounts, see the Tioli Identity Manager information center. Modifying the container attribute If you do not specify a base point at the time of creating an Actie Directory serice, the Actie Directory Adapter, by default, creates new users in the Users container of the Actie Directory. Modifying the Container attribute means moing a user from one container to another. You can moe a user between: Containers that are stored at the specified base point All containers, if no base point is specified When you modify the Container attribute, the distinguished name of a user changes because the user moes to a different position in the Actie Directory hierarchy. The following example illustrates changes in the distinguished name of a user, when you modify the Container attribute: For example, a user account with the name Thomas Daniel exists on the Actie Directory. The Actie Directory has the following structure. 18 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
dc=ibm,dc=com Users Thomas Daniel Nancy Kerry Departments The distinguished name of Thomas Daniel is: cn=thomas Daniel,cn=Users,dc=ibm,dc=com Modify the Container attribute on Tioli Identity Manager from cn=users to ou=marketing. After this change, the distinguished name of Thomas Daniel changes to the following alue: cn=thomas Daniel,ou=Marketing,ou=Departments,dc=ibm,dc=com Modifying the Home Directory attribute The Actie Directory Adapter supports creation and deletion of home directories only in the shared folders on the Windows serer. The adapter does not support the creation and deletion of local home directories. The following examples describe the behaior of the Actie Directory Adapter when you modify the attributes that are related to the home directory on the Actie Directory account form, for an existing user account. Example 1: A user account Thomas Daniel exists on the Actie Directory with the following alues in the Actie Directory account form. Attribute Sales Marketing Figure 2. Example of an Actie Directory structure Value Home Directory \\H20\shareddir\thomas Home Directory Drie F: Home Directory Share homedirshare1 Values of the registry keys are: ManageHomeDirectories = TRUE DeleteUNCHomeDirectories = FALSE CreateUNCHomeDirectories = TRUE Delete alues of the attributes that are related to the home directory. Because the alue of the registry key DeleteUNCHomeDirectories is FALSE, the adapter: Does not delete the home directory thomas from the serer H20 Does not remoe the share homedirshare1 Deletes alues of the Home Directory and the Home Directory Drie attributes on the Actie Directory Chapter 3. Actie Directory Adapter user account management tasks 19
Example 2: A user account Thomas Daniel exists on the Actie Directory with the following alues in the Actie Directory account form. Attribute Value Home Directory \\H20\shareddir\thomas Home Directory Drie F: Home Directory Share homedirshare1 Values of the registry keys are: ManageHomeDirectories = TRUE DeleteUNCHomeDirectories = TRUE CreateUNCHomeDirectories = TRUE Delete alues of the attributes that are related to the home directory. Because the alue of the registry key DeleteUNCHomeDirectories is TRUE, the adapter deletes the home directory thomas from the serer H20. Example 3: A user account Thomas Daniel exists on the Actie Directory. This user account does not contain alues of the attributes that are related to the home directory on the Actie Directory account form. Values of the registry keys are: ManageHomeDirectories = TRUE DeleteUNCHomeDirectories = TRUE CreateUNCHomeDirectories = FALSE Specify alues for the following attributes that are related to the home directory on the Actie Directory account form. Attribute Value Home Directory \\H20\shareddir\thomas Home Directory Drie F: Home Directory Share homedirshare1 Because the alue of the registry key CreateUNCHomeDirectories is FALSE, the adapter: Does not create the home directory thomas and the home directory share homedirshare1 on the serer H20 Sets alues of the attributes Home Directory and Home Directory Drie on the Actie Directory Example 4: A user account Thomas Daniel exists on the Actie Directory. This user account does not contain alues of the attributes that are related to the home directory on the Actie Directory account form. Values of the registry keys are: 20 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
ManageHomeDirectories = TRUE DeleteUNCHomeDirectories = TRUE CreateUNCHomeDirectories = TRUE Specify alues for the following attributes that are related to the home directory on the Actie Directory account form. Attribute Value Home Directory \\H20\shareddir\thomas Home Directory Drie F: Home Directory Share homedirshare1 Because the alue of the registry keys CreateUNCHomeDirectories and ManageHomeDirectories is TRUE, the adapter: Creates the home directory thomas on the serer H20 Maps the home directory with the drie F Assigns the share name homedirshare1 to the home directory Assigns access rights to the home directory and the home directory share Example 5: A user account Thomas Daniel exists on the Actie Directory with the following alues in the Actie Directory account form. Attribute Value Home Directory \\H20\shareddir\thomas Home Directory Drie F: Home Directory Share homedirshare1 Values of the registry keys are: ManageHomeDirectories = TRUE DeleteUNCHomeDirectories = TRUE CreateUNCHomeDirectories = TRUE Change alues of the attributes on the Actie Directory account form to the following alues. Attribute Value Home Directory \\H20\shareddir\Peter\thomas Home Directory Drie G: Home Directory Share homedirshare2 Change the alue of the registry key DeleteUNCHomeDirectories to FALSE. In this example, the modify operation fails because the adapter cannot create nested directories; that is, the directory thomas inside the directory Peter. The adapter ignores the other attributes that are related to the home directory. Chapter 3. Actie Directory Adapter user account management tasks 21
Modifying user password You can change the password of any of the Actie Directory accounts that exist on Tioli Identity Manager. For information about changing passwords, see the Tioli Identity Manager information center. When you change the password of a domain user from Tioli Identity Manager, the new password is synchronized with the other accounts managed by Tioli Identity Manager for that domain user. The Password Synchronization plug-in enables connectiity between Tioli Identity Manager and the Windows system running the Actie Directory. For more information about the Password Synchronization plug-in, see the Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide. During the password change operation: If the alue of the UnlockOnPasswordReset registry key is FALSE and the user account is locked, the Actie Directory Adapter changes the user account password, but the user cannot log on to the domain using the new password. If the alue of the UnlockOnPasswordReset registry key is TRUE, the Actie Directory Adapter unlocks the user account, and the user can log on to the domain using the new password. Modifying the Mailbox Store attribute Modifying the Mailbox Store attribute means moing a user mailbox from one mailbox store to another. You can moe a mailbox either within the same Exchange serer or to a different Exchange serer in the same domain. For more information about moing a mailbox from one mailbox store to another, see the Microsoft Exchange serer documentation. When you modify the Mailbox Store attribute, the alue of the homemdb attribute changes because the user mailbox moes from one mailbox store to another. The following example illustrates changes in the alue of the homemdb attribute, when you modify the Mailbox Store attribute. For example, a user account with the name Thomas Daniel exists on the Actie Directory (domain name is ibm.com). Consider Thomas Daniel has a mailbox in the First Mailbox Store of the Exchange serer (ps2330) as shown in the following figure. 22 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
First Organization (Exchange) Global Settings Recipients Serers ps2330 First Storage Group First Mailbox Store Logons Mailboxes Full-Text Indexing Second Mailbox Store Logons Mailboxes Full-Text Indexing Figure 3. Exchange serer organization tree Suspending user accounts The alue of the homemdb attribute is: cn=first Mailbox Store,cn=First Storage Group,cn=Information Store,cn=ps2330,cn=Serers,cn=First Administratie Group,cn=Administratie Groups,cn=First Organization (Exchange),cn=Microsoft Exchange,cn=Serices,cn=Configuration,dc=ibm,dc=com When you moe the mailbox of Thomas Daniel from First Mailbox Store to Second Mailbox Store, the alue of the homemdb attribute changes to the following alue: cn=second Mailbox Store,cn=First Storage Group,cn=Information Store,cn=ps2330,cn=Serers,cn=First Administratie Group,cn=Administratie Groups,cn=First Organization (Exchange),cn=Microsoft Exchange,cn=Serices,cn=Configuration,dc=ibm,dc=com When you suspend a user account, the status of the user account on Tioli Identity Manager becomes inactie, and the user account becomes unaailable for use. Suspending a user account does not remoe the user account from Tioli Identity Manager. For more information about suspending user accounts, see the Tioli Identity Manager information center. When you suspend a user account from Tioli Identity Manager, the Actie Directory Adapter sets the property flag ACCOUNTDISABLE of the useraccountcontrol attribute on the Actie Directory. For more information about property flags of the useraccountcontrol attribute, see the Microsoft Windows Serer documentation. Chapter 3. Actie Directory Adapter user account management tasks 23
Restoring user accounts Deleting user accounts The restore operation reinstates the suspended user accounts to Tioli Identity Manager. After restoring a user account, the status of the user account on Tioli Identity Manager becomes actie. For more information about restoring user accounts, see the Tioli Identity Manager information center. When you restore a user account from Tioli Identity Manager, the Actie Directory Adapter modifies the property flag ACCOUNTDISABLE of the useraccountcontrol attribute on the Actie Directory. For more information about property flags of the useraccountcontrol attribute, see the Microsoft Windows Serer documentation. Use the deproision feature of Tioli Identity Manager to delete user accounts from the Actie Directory. For more information about deleting user accounts, see the Tioli Identity Manager information center. When you deproision a user account from Tioli Identity Manager, the Actie Directory Adapter: Deletes the user account from the Actie Directory Deletes the mailbox of the user account from the Exchange serer, if the user account is enabled for a mailbox Remoes the membership of the user account from the groups that the user account is a member of Deletes the home directory of the user account, if the alue of the delunchomedirondeproision registry is TRUE Deletes the profile of the user account, if the alue of the delroamingprofileondeproision is TRUE Deletes the WTS home directory of the user account, if the alues of the delunchomedirondeproision and the WtsEnabled registry keys are TRUE Deletes the WTS profile of the user account, if the alues of the delroamingprofileondeproision and the WtsEnabled registry keys are TRUE Note: The Actie Directory Adapter does not support the deletion of local home directories. Deleting a mailbox Delete the Alias attribute on the Actie Directory account form to delete the mailbox of a user account on the Exchange serer. When the mailbox for a user account is deleted, creating another mailbox for the same user account with the same alias creates a new mailbox. The adapter does not permanently delete the mailbox from the Exchange serer. A deleted mailbox is flagged as disconnected by the Exchange serer. By default, the Exchange serer preseres the deleted mailbox for a specific duration. An administrator can configure this duration. You can connect the disconnected mailbox to a user account. The name of the mailbox is changed according to the user account name. For more information about connecting a disconnected mailbox to a user account, see the Microsoft Exchange serer documentation. 24 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Chapter 4. Troubleshooting the Actie Directory Adapter errors This section lists the error messages that might occur while performing the Actie Directory Adapter user tasks and the corresponding recommended actions that you can take to resole those errors. Wheneer an operation fails, the corresponding error messages are logged in the WinADAgent.log file that you can find in the Agents installation directory. The log file contains error messages with corresponding error codes. For information about error codes and their description, see the Microsoft Windows Serer documentation and search for "ADSI Error Codes." Table 8. Troubleshooting the Actie Directory Adapter errors Error message Recommended action Unable to bind to base point Ensure that: The base point is correctly specified on the adapter serice form. The user ID is correctly specified on the adapter serice form. The password is correctly specified on the adapter serice form. The Actie Directory is reachable from the workstation where the adapter is installed. Unable to determine default domain This error occurs when the Actie Directory Adapter fails to: Bind to root DSE Get the default naming context Ensure that: The base point is correctly specified on the adapter serice form. The user ID is correctly specified on the adapter serice form. The password is correctly specified on the adapter serice form. The Actie Directory is reachable from the workstation where the adapter is installed. Error binding to DN: DN String This error occurs when the Actie Directory Adapter fails to bind to a user object of the Actie Directory for processing. Ensure that the user being processed in the Actie Directory is not deleted by any other process simultaneously. Copyright IBM Corp. 2007 25
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Extended attribute attribute name has unsupported syntax Extended attribute attribute name not found in Actie Directory schema Error binding to schema container error code. Loading of extended schema attribute attribute name failed. Error getting parent of schema error code. Loading of extended schema attribute attribute name failed. Error binding to DN of schema error code. Loading of extended schema attribute attribute name failed. Unable to connect to default domain. Loading of extended schema attribute attribute name failed. Extended schema file not found. No extensions loaded. The Actie Directory Adapter does not support the data type used for the extended attribute. Use one of the following data types: Boolean Integer Case sensitie string Case insensitie string Numerical string Unicode string Distinguished name UTC coded time For more information about customizing the adapter to use the extended attributes, see the Actie Directory Adapter Installation and Configuration Guide and search for the section "Customizing the Actie Directory Adapter." The extended attribute specified in the exschema.txt file does not exist on the Actie Directory. Either remoe the attribute name from the exschema.txt file or add the attribute to the Actie Directory. These errors occur when the Actie Directory Adapter fails to extract the schema of the extended attributes. Ensure that the Actie Directory is reachable from the workstation where the adapter is installed. Verify that the extended attribute is correctly defined and added to the user class. This information message occurs when the Actie Directory Adapter fails to find the extended schema file (exschema.txt) or fails to open the file. Unable to bind to user user name This error occurs when the Actie Directory Adapter fails to connect to a user object in the Actie Directory for processing. Ensure that the user user name exists on the Actie Directory. 26 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Error determining terminal serer name Check the alue of the registry key ForceTerminalSererLookup. If the alue of the key is TRUE, the Actie Directory Adapter determines the terminal serer regardless of whether you specify the serer name on the adapter serice form. This error could be because the domain does not exist or the domain controller is not aailable for the specified domain. Ensure that the Actie Directory is reachable from the workstation where the adapter is installed. Error determining RAS serer name Check the alue of the registry key ForceRASSererLookup. If the alue of the key is TRUE, the Actie Directory Adapter determines the RAS serer regardless of whether you specify the serer name on the adapter serice form. This error could be because the domain does not exist or the domain controller is not aailable for the specified domain. Unable to get domain name. Terminal and RAS serers cannot be determined. Ensure that the Actie Directory is reachable from the workstation where the adapter is installed. This error occurs when the Actie Directory Adapter fails to get the domain name from the specified base point or from the default domain. Ensure that a base point is specified with a correct domain name. Inalid domain name syntax Use one of the following formats to specify the domain name: Serer name/ou=org1,dc=ibm,dc=com ou=org1,dc=ibm,dc=com User not found Ensure that the user exists on the Actie Directory and is not directly deleted or modified on the Actie Directory. Error setting attributes country. Unknown country code. The country code specified for the user is inalid. Could not modify the attribute msexchuseraccountcontrol Specify a alid country code and submit the request again. For information about alid country codes, see Appendix A, Country and region codes, on page 33. This warning occurs when the user mailbox is not disabled on suspending a user account. Chapter 4. Troubleshooting the Actie Directory Adapter errors 27
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Error remoing user from group group name The Actie Directory Adapter failed to remoe the user from the group group name. Ensure that the user is a member of the group group name. Error adding user to group group name The Actie Directory Adapter failed to add the user to the group group name. Ensure that: The user exists on the Actie Directory. The user is not already a member of the group group name. The group specified exists on the Actie Directory. Unable to get info on share share name This error occurs when the Actie Directory Adapter fails to retriee share information from the home directory of the user. Ensure that: The user has access to the home directory. The share name exists on the workstation where the home directory is created. Inalid home directory path path name The Actie Directory Adapter supports creation and deletion of only UNC home directories. Specify the UNC home directory path in the following format: Unable to delete home directory home directory name Home directory deletion is not enabled. Home directory will not be deleted. Home directory creation not enabled. Directory will not be created. \\serername\sharename\foldername The Actie Directory Adapter is not able to delete the specified home directory. If the adapter is unable to delete the UNC home directory, ensure that: The alue of the registry key DeleteUNCHomeDirectories is TRUE. The user account has permissions to delete the directory. To enable home directory deletion, set the alues of DeleteUNCHomeDirectories and ManageHomeDirectories registry keys to TRUE. Resend the modify request from Tioli Identity Manager. To enable home directory creation, set the alues of CreateUNCHomeDirectories and ManageHomeDirectories registry keys to TRUE. Resend the modify request from Tioli Identity Manager. 28 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Error creating home directory home directory name The Actie Directory Adapter is not able to create home directory. Ensure that: A directory with the same name does not already exist. The user account has permissions to create home directory. Intermediate directories exist. The adapter creates only the final directory in the specified path. Error deleting share share name The Actie Directory Adapter is not able to delete the share when you clear alue of the share-related attributes from the Actie Directory account form. Ensure that: The user account has access to the specified share. The specified share name exists. The user account has permissions to delete the share. Chapter 4. Troubleshooting the Actie Directory Adapter errors 29
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Attribute eradeproxyaddresses Condition code 5 (Error setting attribute eradeproxyaddresses. ADSI Result code: 0x8000ffff - Catastrophic failure) This error occurs when the Actie Directory Adapter fails to update the proxy address. Ensure that: Proxy addresses in the address list are in the correct format. The SMTP primary proxy address is specified. The primary proxy address is specified before specifying the secondary proxy address. The extension for any specified proxy address is loaded on the Exchange serer. For example, if you add X.500 proxy address with X.500 extension not loaded on the Exchange serer, then the adapter does not update the new X.500 proxy address. To erify whether X.500 extension is loaded, follow these steps: 1. Click Start > Programs > Administratie Tools > Actie Directory Users and Computers. 2. Right-click a mailbox-enabled user account, and click Properties. The Properties window for the user account is displayed. 3. Click the E-mail Addresses tab. 4. On the E-mail Addresses page, click New. The New E-mail Address window is displayed. All of the supported address types are in the E-mail Address Type list. If X.500 address type is not aailable in the E-mail Address Type list, then the X.500 extension is not loaded on the Exchange serer. Load the X.500 extension to support X.500 proxy addresses. 30 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Unable to get IID_IMailRecipient interface These errors are related to user account mailbox. Failed to get interface IID_IExchangeMailbox Could not Reconcile Mailbox-Permissions Search failed. Unable to retriee additional data after 3 retries. User search failed Group search failed. Error code: error code - error description. Proider: proider name. Container search failed. Error code: error code - error description. Proider: proider name. Error performing User Lookup Ensure that: The Microsoft Exchange Information Store serice is running. Serice Pack 2, or Serice Pack 1 and the post-serice Pack 1 Exchange 2000 fix is installed for Exchange Serer 2000. The Actie Directory Adapter serice is running under a domain administrator account. Access to the Mailbox Rights window from the Actie Directory serer is aailable. To access Mailbox Rights window from the Actie Directory serer, follow these steps: 1. Click Start > Programs > Administratie Tools > Actie Directory Users and Computers. 2. Right-click a mailbox-enabled user account, and click Properties. The Properties window for the user account is displayed. 3. Click the Exchange Adanced tab. 4. On the Exchange Adanced page, click Mailbox Rights. The Mailbox Rights window is displayed. The Actie Directory Adapter retriees data from the Actie Directory in a paged manner. The adapter reconciles users, groups, and containers and attempts to retriee data in a maximum of three attempts. If all the three attempts fail, the adapter abandons the search. The adapter cannot retriee data because of one of the following reasons: The network response is slow. The Actie Directory serer is busy. The Actie Directory Adapter installed on the Actie Directory serer is oerloading the serer. For information about configuring the Actie Directory, see http://support.microsoft.com. Chapter 4. Troubleshooting the Actie Directory Adapter errors 31
Table 8. Troubleshooting the Actie Directory Adapter errors (continued) Error message Recommended action Failed to get mailbox rights using get_mailboxrights. Error code: 0x80070057 - The parameter is incorrect. The Exchange proider uses Collaboration Data Objects for Exchange Management (CDOEXM) to create a mailbox for a user object. Under certain conditions, CDOEXM is incorrectly marked as initialized, though CDOEXM is not fully initialized. Therefore, later attempts to use CDOEXM do not succeed. For more information about this error, see http://support.microsoft.com. errormessage= Unsupported filter The adapter does not support the attribute specified in the filter. For the list of supported attributes, see Supported attributes on page 7. Error setting attribute eradprimarygroup. ADSI Result code: 0x80072035 - The serer is unwilling to process the request. ADSI Result code: 0x80072014 - The requested operation did not satisfy one or more constraints associated with the class of the object. ADSI Result code: 0x8007202f - A constraint iolation occurred. Request for proxy email types should contain at least one primary SMTP address Ensure that: The user is a member of the specified group. The specified group is either a uniersal security group or a global security group. These errors occur when the specified alue for the attribute iolates any constraint associated with that attribute. For example, a constraint could be: Minimum or maximum length of characters the attribute can store Minimum or maximum alue the attribute can accept Ensure that the specified alue for the attribute does not iolate these constraints. Note: If any one of the attribute specified in the request iolates a constraint, the adapter gies the same error for all the subsequent attributes een though they do not iolate any constraint. For example, the Title attribute on the Actie Directory can store a description of maximum of 64 characters. If you specify description of length more than 64 characters, the adapter gies these errors for the Title attribute and for all the other attributes specified in the request. Verify that: The request for proxy e-mail types contains a primary SMTP address. The SupportedProxyEmailTypes registry key contains a comma-separated list of proxy e-mail types that are supported by the Microsoft API put_proxyaddresses. For more information about the SupportedProxyEmailTypes registry key, see the Actie Directory Adapter Installation and Configuration Guide. 32 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Appendix A. Country and region codes The Actie Directory Adapter uses a code to modify the countrycode attribute on the Actie Directory. Countries and regions and their corresponding codes are listed in the following table. Table 9. Countries and regions and their corresponding codes Country or region Code Afghanistan 004 Albania 008 Algeria 012 American Samoa 016 Andorra 020 Angola 024 Anguilla 660 Antarctica 010 Antigua 028 Argentina 032 Armenia 051 Aruba 533 Australia 036 Austria 040 Azerbaijan 031 Bahamas 044 Bahrain 048 Bangladesh 050 Barbados 052 Belarus 112 Belgium 056 Belize 084 Benin 204 Bermuda 060 Bhutan 064 Boliia 068 Bosnia 070 Botswana 072 Bouet 074 Brazil 076 British Indian Ocean Territory 086 Brunei 096 Bulgaria 100 Copyright IBM Corp. 2007 33
Table 9. Countries and regions and their corresponding codes (continued) Country or region Code Burkina Faso 854 Burundi 108 Cambodia 116 Cameroon 120 Canada 124 Cape Verde 132 Cayman Islands 136 Central African Republic 140 Chad 148 Chile 152 China 156 Christmas Island 162 Cocos (Keeling) Islands 166 Colombia 170 Comoros 174 Congo 178 Congo Democratic Republic Of 180 Cook Islands 184 Costa Rica 188 Côte d Ioire 384 Croatia 191 Cuba 192 Cyprus 196 Czech Republic 203 Denmark 208 Djibouti 262 Dominica 212 Dominican Republic 214 East Timor 626 Ecuador 218 Egypt 818 El Salador 222 Equatorial Guinea 226 Eritrea 232 Estonia 233 Ethiopia 231 Falkland Islands 238 Faroe Islands 234 Fiji 242 Finland 246 34 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 9. Countries and regions and their corresponding codes (continued) Country or region Code France 250 France Metropolitan 249 French Guiana 254 French Polynesia 258 French Southern Lands 260 Gabon 266 Gambia 270 Georgia 268 Germany 276 Ghana 288 Gibraltar 292 Great Britain 826 Greece 300 Greenland 304 Grenada 308 Guadeloupe 312 Guam 316 Guatemala 320 Guinea 324 Guinea-Bissau 624 Guyana 328 Haiti 332 Heard and McDonald Islands 334 Holysee 336 Honduras 340 Hong Kong S.A.R. of the P.R.C. 344 Hungary 348 Iceland 352 India 356 Indonesia 360 Iran 364 Iraq 368 Ireland 372 Israel 376 Italy 380 Jamaica 388 Japan 392 Jordan 400 Kazakhstan 398 Kenya 404 Appendix A. Country and region codes 35
Table 9. Countries and regions and their corresponding codes (continued) Country or region Code Kiribati 296 Kuwait 414 Kyrgyzstan 417 Lao People s Democratic Republic 418 Latia 428 Lebanon 422 Lesotho 426 Liberia 430 Libyan Arab Jamahiriya 434 Liechtenstein 438 Lithuania 440 Luxembourg 442 Macao S.A.R. of the P.R.C. 446 Macedonia 807 Madagascar 450 Malawi 454 Malaysia 458 Maldies 462 Mali 466 Malta 470 Marshall Islands 584 Martinique 474 Mauritania 478 Mauritius 480 Mayotte 175 Mexico 484 Micronesia 583 Moldoa 498 Monaco 492 Mongolia 496 Montserrat 500 Morocco 504 Mozambique 508 Myanmar 104 Namibia 516 Nauru 520 Nepal 524 Netherlands 528 Netherlands Antilles 530 New Caledonia 540 36 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 9. Countries and regions and their corresponding codes (continued) Country or region Code New Zealand 554 Nicaragua 558 Niger 562 Nigeria 566 Niue 570 Norfolk Island 574 Northern Mariana Islands 580 North Korea 408 Norway 578 No Value 0 Oman 512 Pakistan 586 Palau 585 Panama 591 Papua New Guinea 598 Paraguay 600 Peru 604 Philippines 608 Pitcairn 612 Poland 616 Portugal 620 Puerto Rico 630 Qatar 634 Reunion 638 Romania 642 Russian Federation 643 Rwanda 646 Saint Kitts and Neis 659 Saint Lucia 662 Saint Vincent and the Grenadines 670 Samoa 882 San Marino 674 Sao Tome and Principe 678 Saudi Arabia 682 Senegal 686 Seychelles 690 Sierra Leone 694 Singapore 702 Sloakia 703 Sloenia 705 Appendix A. Country and region codes 37
Table 9. Countries and regions and their corresponding codes (continued) Country or region Code Solomon Islands 090 Somalia 706 South Africa 710 South Georgia 239 South Korea 410 Spain 724 Sri Lanka 144 St. Helena 654 St. Pierre and Miquelon 666 Sudan 736 Suriname 740 Salbard 744 Swaziland 748 Sweden 752 Switzerland 756 Syrian Arab Republic 760 Taiwan 158 Tajikistan 762 Tanzania 834 Thailand 764 Togo 768 Tokelau 772 Tonga 776 Trinidad and Tobago 780 Tunisia 788 Turkey 792 Turkmenistan 795 Turks and Caicos Islands 796 Tualu 798 Uganda 800 Ukraine 804 United Arab Emirates 784 United States 840 United States Minor Outlying Islands 581 Uruguay 858 Uzbekistan 860 Vanuatu 548 Venezuela 862 Vietnam 704 Virgin Islands, British 092 38 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 9. Countries and regions and their corresponding codes (continued) Country or region Code Virgin Islands, U.S. 850 Wallis and Futuna Islands 876 Western Sahara 732 Yemen 887 Yugoslaia 891 Zambia 894 Zimbabwe 716 Appendix A. Country and region codes 39
40 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Appendix B. Actie Directory Adapter attributes Tioli Identity Manager communicates with the Actie Directory using attributes included in transmission packets sent oer a network. The combination of attributes included in the packets depends on the type of action the Actie Directory requests from the Actie Directory Adapter. Table 10 lists the mapping of the attributes on Tioli Identity Manager to the attributes on the Actie Directory. Table 10. Mapping of attributes on Tioli Identity Manager to the attributes on the Actie Directory Attribute on Tioli Identity Manager Attribute on the Actie Directory cn description eradallowdialin eradallowencryptedpassword eradbadlogincount eradcallbacknumber eradcannotbedelegated cn description msnpallowdialin useraccountcontrol badpwdcount msradiuscallbacknumber useraccountcontrol eradcontainer User is located in the specified container. eradcountrycode eraddialincallback eraddisplayname eraddistinguishedname eradealias countrycode msradiussericetype displayname distinguishedname mailnickname eradeallowpermto1leel This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradeapplyontoallow This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradeapplyontodeny This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradeassociatedextacc This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradeautogenemailaddrs eradechgpermissions This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradedaysbeforegarbage eradedelegates Null garbagecollperiod publicdelegates eradedelmailboxstorage This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. Copyright IBM Corp. 2007 41
Table 10. Mapping of attributes on Tioli Identity Manager to the attributes on the Actie Directory (continued) Attribute on Tioli Identity Manager Attribute on the Actie Directory eradedenypermto1leel This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradeenablestoredeflts eradeextension1 eradeextension10 eradeextension11 eradeextension12 eradeextension13 eradeextension14 eradeextension15 eradeextension2 eradeextension3 eradeextension4 eradeextension5 eradeextension6 eradeextension7 eradeextension8 eradeextension9 eradeforwardingstyle eradeforwardto mdbusedefaults extensionattribute1 extensionattribute10 extensionattribute11 extensionattribute12 extensionattribute13 extensionattribute14 extensionattribute15 extensionattribute2 extensionattribute3 extensionattribute4 extensionattribute5 extensionattribute6 extensionattribute7 extensionattribute8 extensionattribute9 delierandredirect altrecipient eradefullmailboxaccess This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradegarbageafterbckp eradehardlimit eradehidefromaddrsbk eradehomemdb eradeincominglimit eradelanguages erademailboxstore erademployeeid eradeoutgoinglimit eradeoerquotalimit eradeoerridegarbage eradeproxyaddresses Null mdboerhardquotalimit msexchhidefromaddresslists homemdb delicontlength language homemdb employeeid submissioncontlength mdboerquotalimit deleteditemflags proxyaddresses eradereadpermissions This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eraderecipientlimit eraderstrctadrsfg msexchreciplimit Null 42 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 10. Mapping of attributes on Tioli Identity Manager to the attributes on the Actie Directory (continued) Attribute on Tioli Identity Manager Attribute on the Actie Directory eraderstrctadrsls eradeserername eradeshowinaddrbook eradesmtpemail eradestorequota Null Null showinaddressbook mail mdbstoragequota eradetakeownership This is mailbox permissions related attribute. Set as an ACI for the user in the Actie Directory. eradetargetaddress eradex400email eradexpirationdate eradfax eradhomedir eradhomediraccessshare eradhomedirdrie eradhomedirntfsaccess eradhomedirshare eradhomepage eradinitial eradisaccountlocked eradlastfailedlogin eradlastlogoff eradlastlogon eradloginscript eradloginworkstations eradmanager eradnameprefix eradnamesuffix eradnochangepassword eradofficelocations eradothername eradpasswordforcechange eradpasswordlastchange eradpasswordminimumlength eradpasswordneerexpires eradpasswordrequired eradprimarygroup eradprimarygrptkn eradrequireuniquepassword eradsmartcardrequired targetaddress textencodedoraddress accountexpires facsimiletelephonenumber homedirectory Null homedrie Null Null wwwhomepage initials lockouttime badpasswordtime lastlogoff lastlogon scriptpath userworkstations manager personaltitle generationqualifier Null physicaldelieryofficename middlename pwdlastset pwdlastset Null useraccountcontrol useraccountcontrol primarygroupid primarygroupid Null useraccountcontrol Appendix B. Actie Directory Adapter attributes 43
Table 10. Mapping of attributes on Tioli Identity Manager to the attributes on the Actie Directory (continued) Attribute on Tioli Identity Manager Attribute on the Actie Directory eradtrustedfordelegation eradupn eradwtsallowlogon eradwtsbrokentimeout eradwtscallbacknumber eradwtscallbacksettings eradwtsclientdefaultprinter eradwtsclientdries eradwtsclientprinters eradwtshomedir eradwtshomediraccessshare eradwtshomedirdrie eradwtshomedirntfsaccess eradwtshomedirshare eradwtsinheritinitialprog eradwtsinitialprogram eradwtsprofilepath eradwtsreconnectsettings eradwtsremotehomedir eradwtsshadowsettings eradwtstimeoutconnections eradwtstimeoutdisconnections eradwtstimeoutidle eradwtsworkingdir ercompany erdepartment erdiision ergroup erlogontimes ermaxstorage erpassword erprofile eruid gienname homephone l mail mobile pager useraccountcontrol userprincipalname userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters userparameters company department diision memberof logonhours maxstorage Null profilepath samaccountname gienname homephone l mail mobile pager 44 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 10. Mapping of attributes on Tioli Identity Manager to the attributes on the Actie Directory (continued) Attribute on Tioli Identity Manager Attribute on the Actie Directory postalcode postofficebox sn st street telephonenumber title postalcode postofficebox sn st streetaddress telephonenumber title Appendix B. Actie Directory Adapter attributes 45
46 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Appendix C. APIs used by the Actie Directory Adapter This section lists the APIs used by the Actie Directory Adapter. ADSI interfaces and the corresponding APIs used by the Actie Directory Adapter The following table lists the ADSI interfaces and the corresponding APIs used by the adapter. For more information about an API, go to http://msdn2.microsoft.com and search for the API together with its corresponding ADSI interface. For example, to search information about get_alias, see http:// msdn2.microsoft.com and in the Search field, type get_alias and IMailRecipient. Table 11. ADSI Interfaces and the corresponding APIs used by the Actie Directory Adapter ADSI interfaces APIs IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailRecipient IMailboxStore IMailboxStore IMailboxStore get_alias put_alias MailEnable MailDisable get_proxyaddresses put_proxyaddresses get_restrictedaddresslist put_restrictedaddresslist get_autogenerateemailaddresses put_autogenerateemailaddresses get_forwardingstyle put_forwardingstyle get_forwardto put_forwardto get_hidefromaddressbook put_hidefromaddressbook get_incominglimit put_incominglimit get_outgoinglimit put_outgoinglimit get_restrictedaddresses put_restrictedaddresses get_smtpemail put_smtpemail get_targetaddress get_x400email put_x400email CreateMailbox DeleteMailbox get_daysbeforegarbagecollection put_daysbeforegarbagecollection Copyright IBM Corp. 2007 47
Table 11. ADSI Interfaces and the corresponding APIs used by the Actie Directory Adapter (continued) ADSI interfaces APIs IMailboxStore IMailboxStore IMailboxStore IMailboxStore IMailboxStore IMailboxStore IMailboxStore IMailboxStore IMailboxStore IExchangeMailbox IADs IDirectorySearch IDirectorySearch IDirectorySearch IDirectorySearch IDirectorySearch IDirectorySearch IDirectorySearch IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser IADsUser get_enablestoredefaults put_enablestoredefaults get_garbagecollectonlyafterbackup put_garbagecollectonlyafterbackup get_hardlimit put_hardlimit get_homemdb get_oerquotalimit put_oerquotalimit get_oerridestoregarbagecollection put_oerridestoregarbagecollection get_recipientlimit put_recipientlimit get_storequota put_storequota get_delegates put_delegates get_mailboxrights Get ExecuteSearch GetFirstRow GetColumn FreeColumn GetNextRow CloseSearchHandle SetSearchPreference GetEx PutEx get_accountdisabled put_accountdisabled get_loginhours put_loginhours get_loginworkstations put_loginworkstations get_passwordrequired put_passwordrequired get_adspath get_badlogincount get_passwordminimumlength get_requireuniquepassword SetPassword SetInfo put_isaccountlocked 48 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Table 11. ADSI Interfaces and the corresponding APIs used by the Actie Directory Adapter (continued) ADSI interfaces APIs IADsUser IADsUser IADsUser IADsUser IADsGroup IADsGroup IADsGroup IDirectoryObject IDirectoryObject IADsProperty IADsProperty IADsProperty IADsProperty IADsContainer IADsContainer IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx IADsTSUserEx put_maxstorage Groups put_accountexpirationdate get_parent get_guid Remoe Add CreateDSObject DeleteDSObject get_syntax get_maxrange get_minrange get_multivalued GetObject MoeHere get_terminalsericesprofilepath put_terminalsericesprofilepath get_terminalsericeshomedirectory put_terminalsericeshomedirectory get_terminalsericeshomedrie put_terminalsericeshomedrie get_allowlogon put_allowlogon get_maxdisconnectiontime put_maxdisconnectiontime get_maxconnectiontime put_maxconnectiontime get_maxidletime put_maxidletime get_reconnectionaction put_reconnectionaction get_brokenconnectionaction put_brokenconnectionaction get_connectclientdriesatlogon put_connectclientdriesatlogon get_connectclientprintersatlogon put_connectclientprintersatlogon get_defaulttomainprinter put_defaulttomainprinter get_terminalsericesworkdirectory put_terminalsericesworkdirectory get_terminalsericesinitialprogram put_terminalsericesinitialprogram Appendix C. APIs used by the Actie Directory Adapter 49
Table 11. ADSI Interfaces and the corresponding APIs used by the Actie Directory Adapter (continued) ADSI interfaces APIs IADsTSUserEx get_enableremotecontrol put_enableremotecontrol WIN32 APIs used by the Actie Directory Adapter The following table lists the WIN32 APIs used by the adapter. For more information about an API, go to http://msdn2.microsoft.com and search for the API. For example, to search information about MprAdminUserGetInfo, see http://msdn2.microsoft.com and in the Search field, type MprAdminUserGetInfo. Table 12. WIN32 APIs used by the Actie Directory Adapter ADsGetObject ADsOpenObject BuildSecurityDescriptor CreateDirectory CryptAcquireContext CryptCreateHash CryptDestroyHash CryptGetHashParam CryptHashData CryptReleaseContext DsGetDcName EqualSid GetAce GetAclInformation GetEffectieRightsFromAcl GetFileSecurity GetNamedSecurityInfo GetSecurityDescriptorDacl InitializeAcl IsValidSecurityDescriptor MprAdminGetPDCSerer MprAdminUserGetInfo MprAdminUserSetInfo NetApiBufferFree NetShareAdd NetShareDel NetShareEnum NetShareGetInfo NetShareSetInfo RegCreateKeyEx RegQueryValueEx RegSetValueEx SetFileSecurity WTSQueryUserConfig WTSSetUserConfig 50 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Appendix D. Accessibility features for the Actie Directory Adapter Accessibility features help a user who has a physical disability, such as restricted mobility or limited ision, to use information technology products successfully. Accessibility features The following list includes the major accessibility features in the Actie Directory Adapter. These features support: Keyboard-only operation. Interfaces that are commonly used by screen readers. Keys that are tactilely discernible and do not actiate just by touching them. Industry-standard deices for ports and connectors. The attachment of alternatie input and output deices. Documentation is aailable in conertible PDF format to gie the maximum opportunity for users to apply screen-reader software. All images in the documentation are proided with alternatie text so that users with ision impairments can understand the contents of the images. Note: The Tioli Identity Manager information center and its related publications are accessibility-enabled for the IBM Home Page Reader. You can operate all features using the keyboard instead of the mouse. Keyboard naigation This product uses standard Microsoft Windows naigation keys. Related accessibility information IBM and accessibility See the IBM Accessibility Center at http://www.ibm.com/able for more information about the commitment that IBM has to accessibility. Copyright IBM Corp. 2007 51
52 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Appendix E. Support information This section describes the following options for obtaining support for IBM products: Searching knowledge bases Contacting IBM Software Support Searching knowledge bases If you hae a problem with your IBM software, you want it resoled quickly. Begin by searching the aailable knowledge bases to determine whether the resolution to your problem is already documented. Search the information center on your local system or network IBM proides extensie documentation that can be installed on your local computer or on an intranet serer. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents. Search the Internet If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resole your problem. To locate Internet resources for your product, open one of the following Web sites: Performance and tuning information Proides information needed to tune your production enironment, aailable on the Web at: http://publib.boulder.ibm.com/tiidd/td/tdprodlist.html Click the I character in the A-Z product list to locate Tioli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. Redbooks and white papers are aailable on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTioliIdentityManager.html Naigate to the Self Help section, in the Learn category, and click the Redbooks link. Technotes are aailable on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ Field guides are aailable on the Web at: http://www.ibm.com/software/sysmgmt/products/support/field_guides.html For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks Web address: http://www.ibm.com/deeloperworks/ Contacting IBM Software Support IBM Software Support proides assistance with product defects. Copyright IBM Corp. 2007 53
Before contacting IBM Software Support, your company must hae an actie IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you hae: For IBM distributed software products (including, but not limited to, Tioli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows or UNIX operating systems), enroll in Passport Adantage in one of the following ways: Online: Go to the Passport Adantage Web page (http://www.lotus.com/ serices/passport.nsf/webdocs/ Passport_Adantage_Home) and click How to Enroll. By phone: For the phone number to call in your country, go to the IBM Software Support Web site (http://techsupport.serices.ibm.com/guides/ contacts.html) and click the name of your geographic region. For IBM eserer software products (including, but not limited to, DB2 and WebSphere products that run in zseries, pseries, and iseries enironments), you can purchase a software maintenance agreement by working directly with an IBM sales representatie or an IBM Business Partner. For more information about support for eserer software products, go to the IBM Technical Support Adantage Web page (http://www.ibm.com/serers/eserer/techsupport.html). If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook on the Web (http://techsupport.serices.ibm.com/guides/contacts.html) and click the name of your geographic region for phone numbers of people who proide support for your location. Follow the steps in this topic to contact IBM Software Support: 1. Determine the business impact of your problem. 2. Describe your problem and gather background information. 3. Submit your problem to IBM Software Support. Determine the business impact of your problem When you report a problem to IBM, you are asked to supply a seerity leel. Therefore, you need to understand and assess the business impact of the problem you are reporting. Use the following criteria: Seerity 1 Critical business impact: You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Seerity 2 Significant business impact: The program is usable but is seerely limited. Seerity 3 Some business impact: The program is usable with less significant features (not critical to operations) unaailable. Seerity 4 Minimal business impact: The problem causes little impact on operations, or a reasonable circumention to the problem has been implemented. 54 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Describe your problem and gather background information When explaining a problem to IBM, be as specific as possible. Include all releant background information so that IBM Software Support specialists can help you sole the problem efficiently. To sae time, know the answers to these questions: What software ersions were you running when the problem occurred? Do you hae logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. Can the problem be re-created? If so, what steps led to the failure? Hae any changes been made to the system? (For example, hardware, operating system, networking software, and so on.) Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem. Submit your problem to IBM Software Support You can submit your problem in one of two ways: Online: Go to the Submit and track problems page on the IBM Software Support site (http://www.ibm.com/software/support/probsub.html). Enter your information into the appropriate problem submission tool. By phone: For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook on the Web (http:// techsupport.serices.ibm.com/guides/contacts.html) and click the name of your geographic region. If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Wheneer possible, IBM Software Support proides a workaround for you to implement until the APAR is resoled and a fix is deliered. IBM publishes resoled APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolutions. For more information about problem resolution, see Searching knowledge bases. Appendix E. Support information 55
56 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Appendix F. Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user s responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are proided for conenience only and do not in any manner sere as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Copyright IBM Corp. 2007 57
Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments may ary significantly. Some measurements may hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurements may hae been estimated through extrapolation. Actual results may ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: DB2 deeloperworks IBM Redbooks Tioli WebSphere zseries pseries iseries eserer Lotus AIX Rational Redbooks Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. 58 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Toralds in the U.S., other countries, or both. Jaa and all Jaa-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and serice names may be trademarks or serice marks of others. Appendix F. Notices 59
60 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Index A accessibility features 51 keyboard 51 oeriew ii pdf format, for screen-reader software 51 shortcut keys 51 text, alternatie for document images 51 adapter features 1 oeriew 1 troubleshooting errors 25 user account management tasks 5 adapter attributes 41 add attributes proxy address 17 adding attributes distinguished name 13 home directory 16 relatie distinguished name 13 user principal name 14 adding user accounts 12 ADSI interfaces 47 APIs 47 attributes adding 12 modifying 18 non-reconcilable 7 reconcilable 6 reconciling 5 B books see publications iii, ii C changing passwords of user accounts 22 configuration Tioli Identity Manager 3 container attribute modifying 18 reconciling 6, 7 conentions typeface iii used in this document iii country codes 33 customer support see software support 53 D deleting mailbox 24 deleting user accounts 24 disability 51 distinguished name adding 13 distinguished name (continued) modifying 18 documents related i Tioli Identity Manager library iii E education see Tioli technical training ii enabling adapter for filter reconciliation 7 enabling user accounts for mail 17 enironment ariables, notation iii errors troubleshooting 25 F filter reconciliation 7 H home directory creating 16 modifying 19 I IBM Software Support 53 information centers, searching to find software problem resolution 53 Internet, searching to find software problem resolution 53 K knowledge bases, searching to find software problem resolution 53 M mail-enabled user accounts 17 mailbox deleting 24 mailbox store modifying 22 mailbox-enabled user accounts 17 manuals see publications iii, ii modifying attributes container 18 home directory 19 mailbox store 22 modifying user accounts 18 modifying user password 22 Copyright IBM Corp. 2007 61
N notation enironment ariables iii path names iii typeface iii O online publications accessing ii online terminology accessing i operations adding 12 deleting 24 modifying 18 reconciling 5 restoring 24 suspending 23 ordering publications ii P pdf format, for screen-reader software 51 problem determination describing problem for IBM Software Support 55 determining business impact for IBM Software Support 54 submitting problem to IBM Software Support 55 proxy address adding 17 publications accessing online ii ordering ii related i Tioli Identity Manager library iii T terminology accessing online i text, alternatie for document images 51 Tioli software information center ii Tioli technical training ii troubleshooting adapter errors 25 typeface conentions iii U user account controls 15 user accounts adding 12 deleting 24 modifying 18 reconciling 5 restoring 24 suspending 23 user principal name adding 14 useraccountcontrol attribute reconciling 7 V ariables, notation for iii W WIN32 APIs 50 R reconciling support data 7 user accounts 5 useraccountcontrol attribute 7 region codes 33 relatie distinguished name adding 13 restoring user accounts 24 S shortcut keys keyboard 51 software support contacting 53 describing problem 55 determining business impact 54 submitting problem 55 specifying controls for user accounts 15 support data reconciliation 7 support information iii suspending user accounts 23 62 IBM Tioli Identity Manager: Actie Directory Adapter Users Guide
Printed in USA SC23-6176-00