IBM® Security
Active Directory 64-Bit Adapter
Version 10.0.14
Edition notice
Note: This edition applies to versions 10.0.x
of the IBM Security Identity Manager, version 5.2.x of the IBM Identity
Governance and Intelligence and version 10.0.x of IBM Verify.
© Copyright IBM Corporation 2009, 2024
US Government Users Restricted Rights. Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Table of Contents
Running
in Federal Information Processing
Configuring the adapter to run in FIPS mode
Operational differences running in FIPS mode
Installation and
Configuration Notes
Corrections to Installation Guide
Customizing or Extending
Adapter Features
Update
the targetprofile.json file (IGI only)
Support for Customized Adapters
Log Output From Exchange and Lync powershell calls
Issues
when used with multiple Exchange versions
Welcome to the IBM Security Active Directory 64-bit (WinAD64) Adapter.
These Release Notes contain information for the following products that was not available when the adapter manuals were printed:
The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory and mailboxes on Exchange and Lync (Skype for Business). The adapter runs in “agentless" mode and communicates using Microsoft ADSI API and PowerShell to the systems being managed.
IBM recommends the installation of this adapter in “gentless" mode on a 64-bit OS and computer in the domain being managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity and/or Governance policies and processes. Please refer to the Identity or Governance Information Center for a discussion of these topics.
The IBM Verify adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Review and agree to the terms of the IBM Verify License prior to using this product. The license can be viewed from the "license" folder included in the product package.
The adapter package includes two
profiles:
·
ADprofile.jar
o
This profile is supported Identity
and Governance. When used, if an AD group name or DN is changed in AD, the
reconciliation operation will result it deleting the original group and adding
the updating group as a new group.
§ Governance results: all users who had permission on the
original group will lose that permission and new permission will be added using
the new name
o
No additional configuration changes
are required on the adapter when the ADprofile.jar is used.
·
ADprofileGUID.jar
o
This profile is supported on
Identity and Governance. When used, if an AD group name or DN is changed in AD,
the reconciliation operation will only change the name and/or DN of the group.
§ Governance results: all users who had permission on the
original group will retain that permission but with new name and/or DN
o
When using ADprofileGUID.jar, you
must configure the adapter to use GUID as the group naming attribute using
agentCfg.exe on the adapter server
§ Invoke agentCfg.exe -a adagent
- Use option (F) Registry Settings
- Use option (A) Modify Non-encrypted registry settings
- Use option (B) Modify attribute value
- Registry item to modify is: useGroup
- New registry item value is: GUID
- Use option (X) Done three times to exit out
- Restart the adapter service for the change to take effect.
The ability to manage service groups is a feature introduced prior to IBM Security Identity Manager 6.0. By service groups, ISIM is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
Create service groups on the managed resource.
Modify attributes of a service group (group name change is not supported)
Delete a service group.
The Windows Active Directory x64 adapter supports service groups
management on Identy Manager only.
Component |
Version |
Build Date |
2024-06-18 16:38:48 PDT |
Adapter Version |
10.0.14 |
Component Versions |
Adapter Build: 10.0.14 Profile 10.0.14 ADK 8.0.7
|
Documentation |
Check the IBM Knowledge Centre for the following guide(s): IBM Verify Active Directory Adapter with 64-Bit Support Installation and Configuration Guide |
Enhancement |
Description |
|
Items included in this release (10.0.13) |
internal |
Upgraded to ADK 8.0.7 with openSL 3.1.6 |
|
Items included in this release (10.0.13) |
internal |
Upgraded to ADK 8.0.6 with openSL 3.1.4 |
|
Items included in this release (10.0.11) |
internal |
Upgraded to ADK 8.0.5 with openSL 3.1.4 |
|
Items included in this release (10.0.9) |
internal |
Added Support for Exchange remote session |
ADAPT-I-134 |
Support Exchange Archive Mailbox |
|
Items included in this release (10.0.8) |
internal |
Upgraded to ADK 8.0.2 with OpenSSL 3.1 |
ADAPT-I-206 |
Support Basic Authentication in AD adapter with support for
Exchange |
ADAPT-I-204 |
AD agent to exchange remote powershell in SSL mode |
|
Items included in this release (10.0.4) |
RFE 63875 |
Specify display name when enabling mailboxes.. Added registry
setting to enable or disable this new feature |
|
Items included in this release (10.0.3) |
RFE 64093 |
Support for setting WorkingHoursStartTime using the ISIM6
WinAD64 Adapter |
RFE 64626 |
IGI AD Adapter GUID Profile Latency. Add cache GUID/DN
lookup |
RFE 63875 |
Specify display name when enabling mailboxes. |
|
Items included in this release (10.0.2) |
Internal |
Upgraded to ADK 7.0.9 with openSSL 1.1.1k |
RFE 145716 (63010) |
AD Cross Domain Group Member Support for Universal Groups
(FPL) |
|
Items included in this release (10.0.1) |
Internal |
Rebranded for IBM Security Verify |
|
Items included in this release (7.1.34) |
RFE TS001318020 (55491) |
IGI Active Directory Adapter - EmployeeNumber not supported |
RFE TS001619165 (58739) |
AD Adapter does not change Country to AD Country Code |
RFE TS002747046 (59959) |
Management of the attribute 'msExchAddressBookPolicyLink' by
ISIM Windows AD Adapter |
Internal |
Updated to ADK 7.0.8 with openSSL 1.1.1d.� Added support for
min tls level |
|
Items included in this release (7.1.33) |
RFE 127449 (56512) |
Supporting eradeallowedaddresslist in hybrid environment
(Adapter) |
RFE 128222 (56765) |
ISIM and O365 email usage in hybrid environment |
|
Items included in this release (7.1.32) |
RFE 130064 (57543) |
'businessCategory' attribute in Security Identity Adapter for Windows AD not handled as multi-valued.
|
181168 |
Attribute values lookup support.
|
183288 |
Support for Windows 2019 server. Both as a managed service and adapter platform. Support for Exchange 2019 and Skype for Business 2019.
|
PSIRT |
Upgraded to ADK 7.0.6 with OpenSSL 1.0.2r
|
|
Items included in this release (7.1.31) |
|
None |
|
Items included in 7.1.30 release |
177537 |
As a developer of the Windows AD adapter, I need to use a newer OpenSSL version that addresses PSIRT advisories. OpenSSL is upgraded from version 1.0.2n to 1.0.2p |
178202 |
Implementation for supporting recon for:
msDS-LastSuccessfulInteractiveLogonTime
and other 3 related attributes. - msDS-LastSuccessfulInteractiveLogonTime,
Note: On IGI Date attributes are not displayed correctly.
|
|
Items included in 7.1.29 release |
154239 |
US - As a Windows AD adapter developer, I need to update my adapter to use the newer OpenSSL |
|
Items included in 7.1.28 release |
|
None |
|
Items included in 7.1.27 release |
50831 50763 |
Windows AD adapter to support mailbox attribute msExchRecipientTypeDetails and msExchRemoteRecipientType in integer8 format
|
50988 |
Add businessCategory as a regular adapter attribute
|
43334 |
Enhance AD Adapter to detect user's email status for remote mailbox (O365) and manage proxy address and other exchange attrib
|
internal |
Added support for remote mailbox to support Office 365 mailboxes in a hybrid Exchange environment
|
internal |
Modified installer to default to SSL enabled
|
|
Items included in 7.1.26 release |
44871 |
Added support for lync Mobility and Persistent Chat policies
|
internal |
Now supports FIPS compliant mode
|
|
Items included in 7.1.25 release |
internal |
This release includes ADK 7.0.3 which update openssl to 1.0.2f to address a vulnerability to excessive CPU utilization
|
|
Items included in 7.1.24 release |
internal |
This release officially supports Windows 2016 server. Both as a managed resource and an installation platform
|
|
Items included in 7.1.23 release |
internal |
Now using ADK 7.0.1 with updated openSSL, ICU and SQLite all built on Visual Studio 2012. Adapter is now built on Visual Studio 2012 using .NET 4.5. It no longer requires .NET 3.5 to be installed.
|
|
Items included in 7.0.20 release |
42641 |
Adapter Support for Exchange 2016 and Lync 2015
|
42071 |
Second and following Mailbox Move Requests Fail on Exchange 2013
|
43225 |
Reduce IO in WinAD Adapter for PW change
|
|
Items included in 7.0.18 release |
38935 |
Support "Manager can update membership list" attribute for AD Group
|
38934 |
Support display name attribute for AD Groups
|
39511 |
WinAD Adapter does not reconcile Lync Registry Pools from AD
|
40129 |
ISIM AD Adapter Customization for Group Object class |
internal |
Updated resource.def in profile to support external roles
|
|
Items included in initial release (7.0.16) |
30303 |
ISIM AD adapter unable to set Mail box Retention policy check |
internal |
Now using ADK 6.0.1027 which provides an option disabling sslv3. There is also support for setting the list of ciphers used. |
internal |
The Domain Admin and Domain Password fields have been removed from the service form in the profile. They can still be used, but the preferred method is to set the logon account on the adapter windows service. |
|
Items included in 6.0.15 release |
34001 |
Added support for Exchange Automatic Mailbox Distribution. Supplying only eradealias without a mail store or external email address allows Exchange to determine the mail store to use based on load balancing. |
31924 |
Prevent deletion of user accounts that have a mailbox that is under litigation hold |
32482 |
Add support for msExchCoManagedByLink to group schema |
29995 |
Add support for msExchRequireAuthToSendTo to group schema |
|
Updated logging to include output from Lync and Exchange modules |
|
Items included in 6.0.14 release |
|
The Password Synchronization plug-in is now released as a separate package. It is no longer bundled in with the AD Adapter |
|
Includes updated ADK 6.0.1020 which includes update to prevent password values from being written to the log on password change failures |
|
Items included in 6.0.13 release |
|
Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL. |
Case |
APAR# |
PMR# / Description |
|
|
Items closed in this release (10.0.14) |
TS015907182 |
Creation of remote mailbox with primary
smtp address in list of proxy address on add request |
|
|
|
Items closed in this release (10.0.13) |
TS015311731 |
AD Attribute erADEHideFromAddrsBk is not returned during recon
for remote mailboxes; |
|
internal |
AD Attribute eradealllowaddresslist changed from DNString to DNValue |
|
|
|
Items closed in this release (10.0.12) |
TS013336011 |
Some AD account don't have their Exchange attributes mail, proxyAddresses and targetAddress set |
|
|
|
Items closed in release (10.0.11) |
internal |
Test Connection in ISV SaaS fails because of eradeusebasicauth field added in 10.0.9 |
|
TS014310910 |
outdated country codes |
|
|
|
Items closed in release (10.0.10) |
BUGZ 4053 |
How to manage cloud migrated AD account with AD Agent |
|
BUGZ 4165 |
Unable to set Exchange Quota warning - AD adapter |
|
BUGZ 4142 |
Change Log Sync finish failed AD with error Error code: 0x80072030 |
|
|
|
Items closed in release 10.0.9 |
BUGZ 4090 |
Windows AD 10.0.8 ADprofile.jar file has syntax issue |
|
BUGZ 4091 |
IBM Security Verify Governance Adapter for Windows AD broken SSL |
|
|
|
Items closed in release 10.0.8 |
internal |
erADEAllowedAddressList occurs twice in targetProfile.json and
is missing DNString flag |
|
|
|
Items closed in release 10.0.7 |
TS010327429 |
error in AD recon for some users |
|
|
|
Items closed in release 10.0.6 |
TS007544376 |
User member of group that has been deleted kills recon |
|
|
Full recon on AD adapter does not contain eradgrpcontainerrnd
data |
|
TS008973416 |
Active Directory adapter has issues with Group Reconciliation |
|
|
|
Items closed in release 10.0.5 |
IJ37565 |
Displayname getting set to -1 when creating mailbox |
|
TS006823945 |
TS006823945 How can we manage erADEAllowedAddressList attribute
managing by rule.� Missing from targetProfile.json |
|
|
|
Items closed in release 10.0.4 |
TS006884318 |
The Windows AD adapter profiles newer than 7.1.35 version are
missing erADEmployeeNumber in targetProfile.json file |
|
|
|
Items closed in release 10.0.3 |
IJ33198 |
WinAD adapter Enable-DistributionGroup fails |
|
IJ34539 IJ34168 |
Setting the eradexpirationdate in IGI to null sends a default
date to active directory which is in the past and expires the account |
|
|
|
Items closed in release 10.0.2 |
IJ31965 |
AD Agent Silent Installation Not Working |
|
|
|
Items closed in release 10.0.1) |
IJ28787 |
WinAD Adapter crashes during reconciliation |
|
|
|
Items closed in release 7.1.38) |
TS004078164 |
|
Recon/search failure with AD adapter and some AD group lookup |
TS003784368 |
|
WinAd adapter profile ADprofileGUID.jar does not send GUID on
group add |
|
|
Items closed in release 7.1.37) |
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
|
|
Items closed in release 7.1.36) |
Internal |
Fixed targetProfile.json which had been reverted to the old format by mistake
|
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
TS003197913 |
Adding an Activedirectory account results in SERVICE_CONTROL_INTERROGATE command (long DNs in container names)
|
|
TS003611746 |
IJ24480 |
Windows AD - recon not picking up erADLyncDialpPolicy (DialPlan) attribute for Lync/Skype
|
|
IJ24489 |
Group basepoint - Unable to bind to group basepoint
|
|
|
Items closed in release (7.1.35) |
Inernal |
Null pointer when mailbox store is empty value
on add request |
|
TS003353720 |
Active Directory Adapter performance (1.5
second delay per request) |
|
APAR IJ23159 |
A random server is chosen for group modify if no server is specified in the group base point |
|
|
|
Items closed in release (7.1.34) |
TS002713742 |
duplicate erADEmailboxGUID entries returned
resulting in warnings |
|
TS002782868 |
Issue with updating proxyaddresses
inExchange/Active directory |
|
APAR IJ17835 |
WINAD ADAPTER ERROR WHEN SETTING "ACCEPT
MAIL FROM" AND THE ACCOUNT HAS A REMOTE MAILBOX |
|
|
|
Items closed in release (7.1.33) |
TS002562024 |
eradexdialin and erADEShowInAddrBook not
working correctly due to errors in targetprofile.json |
|
Internal |
erUID incorrectly marked as immutable
preventing renaming user. |
|
Internal |
erADERstrctAdrsLs, erADEAllowedAddressList,
erADEDelegates incorrectly marked as not supported for remote mailboxes
erADETargetAddress incorrectly marked as supported for remote
mailboxes. |
|
|
|
Items closed in release (7.1.32) |
183289 |
IJ12159 |
erADEHideFromAddrsBk not returned. Behaving as designed, the value is not present when set to false through the ADSI api.
|
183292 |
|
businessCategory on containers now supported as multi-valued.
|
|
|
Items closed in release (7.1.31) |
Internal |
|
RTC 181198: Internal - As a WinAD adapter, i must ensure that the profile jars in 7.x package are correct |
|
|
Items closed in 7.1.30 release |
TS001030655 |
|
US - As a WinAD adapter developer I must ensure that the correct version numbers are set for the 6.x and 7.x adapter builds.
|
|
|
Items closed in 7.1.29 release |
|
|
None |
|
|
Items closed in 7.1.28 release |
TS000028936 |
|
Added support for providing primary SMTP address when mailbox is created. This avoids, the default SMTP address from becoming a secondary SMTP address when the primary SMTP address is set after the mailbox is created.
|
|
|
Items closed in 7.1.27 release |
01351,SGC,740 |
|
Error 0x00000037 and 0x80004005 trying to set eradnochangepassword |
|
IV98275 |
WRONG SYNTAX FOR ERADPREFERREDEXCHANGESERVERS AND ERADPREFERREDLYNCSERVERS IN TARGETPROFILE.JSON
|
|
IV97886 IV98275 |
ADprofile.jar file from 7.1.26 package won't import on IGI 5.2.3 |
|
|
Items closed in 7.1.26 release |
|
IV96432
|
IN HYBRID EXCHG & O365, CREATING MAIL USER GETS REMOTE ONE BUT UPON MODIFY EXCHG ATTR - GETS LOCAL MAILBOX |
|
|
Items closed in 7.1.25 release |
|
IV85621 |
WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC MODULE |
|
|
Items closed in 7.0.21 release |
|
IV84875 reoponed |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
|
Items closed in 7.0.20 release |
|
IV84875 |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
75802,227,000 |
|
Issue with erADGrpWriteMembers attribute value on reconcile returning both true and false.
|
04723,001,862 |
|
WinAD Adapter Release Notes Wrong+Missing Information
|
|
|
Items closed in 7.0.19 release |
|
IV82951 |
SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER UPGRADE TO WINAD64 6.0.18 |
|
|
Items closed in 7.0.18 release |
52479,004,000 |
|
ITIM adapter deleting the $IPC share accidentally
|
|
IV79632 |
ACTIVE DIRECTORY USERS WITH COUNTRY CODE 428 ARE CREATED WITH COUNTRY LATIVA INSTEAD OF LATVIA. |
|
IV79641 |
AD ADAPTER INTERMITTENTLY CRASHES DURING RECONCILIATION |
|
IV81775 |
INVALID PARAMETER GENERATED FOR EXCHANGE 2013 PROVISIONING (-ManagedFolderMailboxPolicyAllowed) |
|
|
Items closed in 7.0.17 release |
|
IV78917 |
ISSUES WHILE ENABLING LYNC FOR IDS WHICH HAVE
SPECIAL |
|
IV78758 |
WINAD ADAPTER CRASHING WHILE CALLING GETLYNCUSER DURING RECONCILE |
|
IV78492 |
AD ADAPTER CRASH IF PROXY ADDRESS IS NOT VALID. |
|
IV78286 |
IADSTSUSEREX INTERFACE NOT WORKING TO RETRIEVE WTS ATTRIBUTES |
|
|
Items closed in initial release (7.0.16) |
|
IV73908 |
Event Notification no more working if USN-Changed attribute exceeds 7 digits |
|
|
Items closed in 6.0.15 release |
92067,69G,760 |
|
Test connection fails. Test connection now only reports warning if the Domain/Forest functional level cannot be determined |
06429,707,707 |
|
Change the default behavior for eradgroup to be add/delete rather than replace |
|
|
LyncDisableSearch registry setting in wrong location after install |
|
|
Items closed in 6.0.14 release |
13541,035,724 |
|
WTS attributes and recon error 1317 |
|
IV65653 |
WinAD adapter reports success in case of AD group interface problems during reconciliation |
|
IV67715 |
eradlynctelephony and eradlynclineurl fail on modify to Lync |
38947,031,724 CVE-2014-8923 |
|
WinAD adapter logs password in clear text on password change failures. This addresses IBM Security Bulletin CVE-2014-8923.
|
|
|
Items closed in 6.0.13 release |
|
IV61397 |
Thread logging option not showing in WinAD adapter agentcfg program |
|
IV62916 |
WinAD adapter recon fails when AD cannot provide information about an attribute's schema |
|
IV63714 |
WinAD adapter crash if eradlynctelephony is NULL |
CMVC# |
APAR# |
PMR# / Description |
N/A |
N/A |
Support for Exchange and Lync is provided using remote powershell connections to the Exchange or Lync server. There is a fixed limit of 5 concurrent connections to a remote powershell. Setting the thread count to higher than the default of 3 could result in some Exchange or Lync attributes failing to be set under heavy loads.
|
N/A |
N/A |
Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer available for Exchange 2007.
|
N/A |
N/A |
Service form fields:
See Corrections to Installation Guide, The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
Chapter 4. Adapter installation" section below.
|
N/A |
N/A |
Class 3 Certificates Class 3 secure server CA-G2 certs are not written properly to “DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written twice between BEGIN CERTIFICATE and END CERTIFICATE.
Work around: To correct this issue, please follow the below steps and edit “DamlCACerts.pem" file present in “Adapter installation path>\data" folder.
Step 1. Start the CertTool utility
Step 2. Import the class 3 CA certificate by using “F" option from the main menu of CertTool Utility.
Step 3. Once the class 3 CA certificate is successfully installed, open �DamlCACerts.pem� file stored in the �<Adapter installed path>\data" folder using text editor.
Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN CERTIFICATE and END CERTIFICATE) from “DamlCACerts.pem".
Step 5. Open class 3 CA certificate file using text editor and copy the certificate data (between the BEGIN CERTIFICATE and END CERTIFICATE)
Step 6. Paste the certificate data to “DamlCACerts.pem" file between the BEGIN CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If more than one class 3 certificates are installed then you can identify the certificate using issuer and subject data.
Step 7. Save �DamlCACerts.pem" file.
Step 8. To verify the “DamlCACerts.pem" file is edited properly, display certificate information by using option “E" from the main menu of CertTool Utility.
Please note that this issue is seen after installing class 3 CA certificate. If you correct the DamlCACerts.pem and then install another class 3 CA certificate, the newly installed class 3 CA certificate will show same issue.
This issue is also seen when you delete any certificate using option "G" from the main menu of CertTool utility. The delete option will affect all remaining class 3 CA certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.
|
Version 10.0.9 adds support for Exchange remote session timeout.
In order to execute Exchange powershell commands, the adapter establishes a remote powershell session with an Exchange server. This can take over a minute. Due to the overhead to establish a new connection, the adapter maintains the connection and uses it in subsequent requests. There is an idle timeout and if the connection is idle past that timeout, the connection is closed. However, if there are enough requests to keep the connection open without an idle timeout long enough, the credential is invalidated and powershell commands fail to execute with an Access is denied error. To avoid this, the adapter now supports a session timeout. If the connection is open past that timeout, it is closed and a new session is created. The default value is 1 hour. A new registry setting can be used to customize this timeout:
ExchSessionTimeoutMS - timeout value is milliseconds.
Version 10.0.9 adds support for Exchange Archive Mailbox. The following attributes have been added to the schema to support this:
erADEArchiveAddress
erADEArchiveDatabase
erADEArchiveName
erADEArchiveQuota
erADEArchiveWarnQuota
An Archive mailbox can be on premises or remote.� For on premises archive you supply erADEArchiveDatabase with the DN of the database in which to create the archive. For remote archive, you supply erADEArchiveAddress with the domain name of your Office 365 instance in a hybrid configuration using AzureADSync. The values erADEArchiveDatabase and erADEArchiveAddress are mutually exclusive and supplying both values in a request will result in an error.
For on premises archives, if erADEArchiveDatabase is supplied and an archive already exists, the adapter will issue a move request if the value is different from the current value.
specifying erADEArchiveDatabase or erADEArchiveAddress with a delete operation will delete the archive if one exists.
A new registry setting was added to configure ssl for the remote exchange session:
ExchUseSSL Set to TRUE to use https.� If this value is not set, the default is FALSE.� If Basic Authentication is enabled, it will default to TRUE.
New attributes were added to the service form to configure Basic Authentication with Exchange servers.�
erADEUseBasicAuth Set to TRUE to use Basic Authentication (otherwise Kerberos is used)
erADEUserName Username to use with Basic Authentication with Exchange server
erADEPassword Password to use with Basic Authentication with Exchange server.
If erADEUseBasicAuth is TRUE, erADEUserName and erADEPassword are required.
If ExchUseSSL is TRUE, you must install the CA certificate for the Exchange server(s) in the trust store for the user under which the adapter runs.
When using the default Kerberos authentication, the data is encrypted already and SSL is not necessary, but can be enabled as second level of encryption.
SearchMoreDataTimeout is used to set the timeout (in
seconds) that the adapter will continue to retry when it receives ERR_MORE_DATA
during a search.� When getting rows of data from the search result, this
occurs when get next row fails because more data is available but has not yet
been received.
A new specific adapter setting called
�MailCreateAddDisplayName� is used to enable this feature.� By default it
is set to FALSE.� Set to TRUE to enable this feature.
To implement this RFE, support for a new Exchange powershell
call was required.� The RFE was for Working Hours Start Time, but the api
also supports the end time, time zone and work days.� Support was added for
all four values.�
The attributes are:
erADECalStartTime This
is a local time value in the form of hh:mm:ss
erADECalEndTime This
is a local time value in the form of hh:mm:ss
erADECalTimeZone This
is the name of the time zone.�
erADECalWorkDays This
is a comma separated list of days or one of the following: None, AllDays,
WeekDays, or WeekEndDays
They are all String syntax. For more details see
https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailboxcalendarconfiguration?view=exchange-ps
Important: These values are not stored as ldap attributes on the
account object. In order to retrieve these values during a recon requires a
remote powershell call for each user that has an Exchange mailbox. This can
severely impact performance during a large recon. A registry setting (
ReconCalendarTimes ) was added that must be set to TRUE for these attributes to
be included in the recon results.
The
adapter now supports remote mailboxes. This allows supporting Office 365
mailboxes in a hybrid Exchange environment. A new attribute
(erADEremoteAddress) has been added to the user object to support this
feature. There are now 4 ways to create a mailbox with the adapter:
To
delete a mailbox, simply delete the value for the mail store or mail address.
The
remote address and target address values use the same user attribute to store
their value. The msExchRecipientType value indicates whether the mailbox
is remote or not. Currently remote addresses appear in the target address
field. You will need to run a full reconciliation after installing this
update to populate the remote addresses.
See the IBM Security Windows Local Account Adapter Installation
and Configuration Guide for detailed instructions.
The previous installation was installed with newer
version of InstallAnywhere
You may see this error while running the installer. It is only a warning and can be safely ignored.
The following corrections to the Installation Guide apply to this release:
Exchange Mailbox
Security
The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
Chapter 4. Adapter installation
Section "Adapter user account creation"
The following paragraph is incorrect:
The account information must be supplied on the Active Directory Adapter service form. See Creating an adapter service on page 14 for information about creating a service.
Furthermore, you must not supply the account information on the service form. The following two fields on the adapter service form are not used and must be blank:
� The adapter account, used by the adapter to manage AD/Exchange/Lync, must be supplied on the logon tab of the Windows Adapter service that is named ISIM Active Directory Adapter.
The following configuration notes apply to this release:
Managed
Folder Mailbox Policy
Managed folder policies and retention policies are now treated as separate items. The type of policy is determined by the location in the Active Directory LDAP.
The
following corrections to the User Guide apply to this release:
Chapter 2 -
Service/Target form details
A new field has been
added.Return Universal Groups from all domains in forest� is a new checkbox. When
checked, during a reconcile, Universal Groups from the entire forest instead of
just the current domain. This allows add users to Universal groups from other
domains.
Force Password Change
The
"Force Password Change" check box is documented incorrectly in
section "Specifying controls for a user account" of the User Guide.
It
should be as follow: "If you select the Force Password Change check box,
then the adapter sets the value of the pwdLastSet attribute to 0. If you do not
select the Force Password Change check box, then the adapter sets the value of
the pwdLastSet attribute to -1".
Table 7. Options for the DAML
protocol menu
New
DAML protocol setting for TLS level
The
DAML protocol settings now include a value called MIN_TLS_LEVEL. The setting
supersedes the values DISALBE_SSLV3 and DISABLE_TLS10. The valid settings for
this value are:
0
No restrictions. This setitngs
allows SSLV3 connections which are known to have vulnerabilities.
1.0 TLS 1.0 and higher are supported
1.1 TLS 1.1 and higher are supported
1.2 TLS 1.2 and higher are supported
1.3 TLS 1.3 and higher are supported
For
backward compatibility, if MIN_TLS_LEVEL is not set, it will be set at startup
based on the settings of DISABLE_SSLV3 and DISABLE_TLS10.
A
new option L should be included in the table of DAML protocol options.
Displays
the following prompt:
Modify
Property �DISABLE_SSLV3�:
SSLv3 is now considered an unsecure
protocol. SSLv3 is now disabled by default. In order to enable
SSLv3 you need to set this value to FALSE. If this value does not exist
or is anything other than FALSE, the SSLv3 protocol will be disabled when using
SSL.
A
new option M should be included in the table of DAML protocol options.
Displays
the following prompt:
Modify
Property �DISABLE_TLS10�:
TLS1.0
setting is configurable. By default, DISABLE_TLS10 is set to FALSE
Setting
DISABLE_TLS10 to TRUE will disable TLS1.0 and SSLV3 regardless of the setting
for DISABLE_SSLV3.
Add the following configuration settings topic:
Enabling TLS 1.2 in Identity Manager (ISIM/IGI/ISPIM):
After Setting up certificates in Identity Manager and Adapter, Enable TLS 1.2
by adding/modifying the following line in enRole.properties file in ISIM
(equivalent for ISPIM and IGI)
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.2
The
section �Modifying protocol configuration settings" should add this
section for setting the SSL cipher list.
Setting the
Cipher list
The
DAML protocol now checks for an environment variable called
"ISIM_ADAPTER_CIPHER_LIST". This variable can contain a list of
ciphers for the SSL protocol. DAML uses the openSSL library to support
SSL. This cipher string is passed to openSSL during initialization.
The cipher names and the syntax can be found on the openSSL web site (
https://www.openssl.org/docs/apps/ciphers.html ). When this string is
used, it only fails if none of the ciphers can be loaded. It is
considered successful if at least one of the ciphers is loaded.
Chapter
5
For
IGI uses, under the section Customizing the Active Directory Adapter
there should be another section between steps 5 and 6 should be inserted for
updating the targetProfile.json file ( see Update the targetprofile.json file (IGI only) )
The IBM Security Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
IBM Security Identity Manager Resources:
Check the �Training" section of the IBM Security Identity Manager Support website for links to training, publications, and demos.
This adapter now supports extending
the schema for group objects as well as user objects on. The procedure is
the same as for user objects except that the file name used for the
extended attributes is
exschemagrp.txt.� Extending the schema for group objects is supported on ISIM
only.
The
Active Directory Adapter targetprofile.json file identifies all of the
supported Windows
account
attributes for the IGI server.
About this task
Modify
this file to identify the new extended attributes. To update the
targetProfile.json file, complete the following steps:
Procedure
Change
to the \ADprofile directory, where the targetProfile.json file has been
created.
Open
the targetProfile.json file in a text editor. Find the section for
�userExtension�. It should look like this:
"userExtension": {
"schema":
"urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"definition": {
"id":
"urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [
The
�attributes� section contains an array of attribute definitions. Each
definition is separated by a comma. You add your extended attributes to
this section. An attribute object contains these fields:
Field |
Description |
name |
Attribute name |
type |
data type (string, integer,
boolean, binary) |
multiValued |
True if attribute can have
multiple values |
description |
Attribute description text |
required |
true if required attribute |
caseExact |
true if value is case sensitive |
mutability |
immutable, read, write, readwrite |
returned |
Use �default� |
uniqueness |
Use �server� |
specialFlags |
Use �none� |
canonicalValues |
Optional list of valid values for
this attribute as a json array. |
The
attribute object is enclosed in braces ({}). Each field has the name in
quotes followed by a colon and the value. Each field is separated by a
comma. Below is an example from the AD adapter:
{
"name": "eruid",
"type": "string",
"multiValued": false,
"description": "An identifier used to uniquely identify a
user",
"required": true,
"caseExact": false,
"mutability":
"immutable",
"returned": "default",
"uniqueness": "server",
"specialFlags": "none"
},
Add
the new attributes to the account class. For example (new attribute text in
red):
"userExtension":
{
"schema":
"urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"definition": {
"id":
"urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [
{
"name": "eruid",
"type": "string",
"multiValued": false,
"description": "An identifier used to uniquely identify a
user",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness":
"server",
"specialFlags": "none"
},
�
{
"name": "title",
"type": "string",
"multiValued": false,
"description": "title",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none"
},
{
"name": "shirtSize",
"type": "string",
"multiValued": true,
"description": "Shirt Size",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none",
"canonicalValues": [
"small�,
"medium",
"large
]
}
]
},
Make
sure to separate each attribute definition with a comma. Once you have
updated the file, it is recommended that you verify the syntax is correct by
using one of the freely available json lint sites.
The integration to the IBM Security Identity Manager server the adapter framework is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The adapter uses a remote powershell session to communicate with Exchange and Lync servers. This code runs as a pair COM servers in the .NET environment. As such they do not have access to the adapter logging functions. However, there are messages that are output to the console. In order to see these log messages, you must run the adapter in console mode. This is done by running the adapter directly from the command line and specifying console as a command line option. This causes all of the adapter logging as well as any output from the Exchange and Lync modules to be output to the console. To capture the logging to a file, simply redirect the output of the adapter to a file. For example:
>ADAgent.exe console > adagent.log
The adapter uses remote powershell sessions to manage Exchange servers. If the adapter has issues connecting to the servers, you can manually run the powershell cmdlets that the adapter uses to troubleshoot the connection errors.
Use this command to create a new session on the remote server. Replace <hostAddr> with the actual hostname or IP of the Exchange server.
PS>$mySession = New-PSSession -configurationname Microsoft.Exchange -connectionuri http://<hostAddr>/Powershell -authentication Kerberos
Use this command to import the remote session into your local session. If this is successful, you should be able to run any Exchange cmdlets as if you were on the Exchange server.
PS>import-pssession $mySession
The IBM Security Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Windows 10
Windows 11
Windows Server 2019
Windows Server 2022
Managed Resource:
Active Directory on Windows Server 2019
Active Directory on Windows Server 2022
With optional:
Exchange Server 2019
Skype For Business Server 2019
Clients:
IBM Security Identity Manager
v7.0.x
IBM Security Identity Manager v6.0.x
IBM Security Identity Governance
and Intelligence v5.2.x
IBM Security Verify Identity v10.0
IBM Security Verify Governance v10.0
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes