Notes covering OpenICF prerequisites, fixes, known issues. Open Identity Connector Framework provides connectors for a consistent generic layer between applications and target resources.

Chapter 1. What's New in OpenICF 1.5

This release of OpenICF includes many new features and enhancements compared to version 1.1.

1.1. New Connector Capabilities

Connectors in this release bring the following new features and improvements:

Batched Requests

The CSV file connector now supports batched requests (OPENICF-423).

LDAP Support

These new features and improvements concern the generic LDAP connector:

  • The generic LDAP connector now provides a basic default schema with standard object classes (OPENICF-434).

    By default, _ACCOUNT_ is mapped to inetOrgPerson, and _GROUP_ is mapped to groupOfUniqueNames.

    The following additional object classes are included in the default schema:

    • account

    • groupOfNames

    • organization

    • organizationalPerson

    • organizationalUnit

    • person

  • The generic LDAP connector now supports StartTLS (OPENICF-366).

  • The generic LDAP connector now caches the server type (OPENICF-421).

  • The generic LDAP connector now makes it possible to control the LDAP object class used when performing a create operation (OPENICF-419).

  • The generic LDAP connector now appropriately reads the Active Directory account tokenGroups attribute (OPENICF-400).

  • The generic LDAP connector now appropriately handles the Active Directory groupType attribute for group type and group scopes (OPENICF-395, OPENICF-396).

  • The generic LDAP connector now supports creation and update of the Active Directory accountExpires and passwordLastSet attributes (OPENICF-358).

  • The generic LDAP connector now helps to identify why password modification fails with Active Directory (OPENICF-383).

  • The generic LDAP connector now provides a basic default schema for Active Directory (OPENICF-381).

  • The generic LDAP connector now supports modifying the Active Directory sAMAccountName attribute (OPENICF-129).

  • The generic LDAP connector sync() method now supports modify DN (move) and modify RDN (rename) operations (OPENICF-340).

  • The generic LDAP connector can now perform LDAP operations as the authenticated user (OPENICF-112).

Scripted Connectors

These new features and improvements concern scripted connectors:

  • The PowerShell connector provides a cache mechanism (OPENICF-348).

    Scripts can place values to cache in the $Connector.Configuration.PropertyBag map as in the following example where key is set to value to cache:

    $Connector.Configuration.PropertyBag[key] = "value to cache"
           
  • The PowerShell connector can accept custom configuration parameters (OPENICF-449).

  • Scripted connectors can now run scripts found within a .jar file (OPENICF-385).

1.2. New Framework and Connector Server Capabilities

The OpenICF framework and connector servers in this release bring the following new features and improvements:

Batched Requests

The connector framework now supports batched requests (OPENICF-422).

Notification of Configuration Changes

The connector framework now provides a method, AbstractConfiguration.notifyConfigurationUpdate(), for connectors to notify applications about configuration changes (OPENICF-424).

Synchronization

The connector framework now helps connectors identify the last known token (OPENICF-147).

Failure Management

The framework now supports additional connector exceptions, making it possible to distinguish effectively between different failure cases (OPENICF-5).

Enhanced Communication Protocol

The communication protocol with remote connector servers has been improved for better performance and security (OPENICF-391, OPENICF-391, OPENICF-393).

Chapter 2. Before You Install OpenICF Software

This chapter covers prerequisites for installing and running OpenICF software.

2.1. Java Requirements

OpenICF software is supported on Java 7 and 8, specifically at least the Java Standard Edition runtime environment.

ForgeRock recommends that you keep your Java installation up-to-date with the latest security fixes.

2.2. Connector Server Requirements

If your deployment requires an OpenICF connector server, then read this section.

2.2.1. .NET Connector Servers

.NET Connector Servers require the following:

  • Windows Server 2008, 2008 R2, 2012, or 2012 R2

  • .NET framework (version 4.0 or later)

Specific .NET connectors have additional requirements. For example, the PowerShell connector requires the PowerShell V4 environment that is provided with Windows Management Framework 4.

2.2.2. Java Connector Servers

Java Connector Servers are supported on Java 7 and 8, specifically at least the Java Standard Edition runtime environment.

Table 2.1, "Supported Connector Servers" lists the versions supported for this release.

Table 2.1. Supported Connector Servers
Connector ServerVersion
Java Connector Server1.5.0.0
.NET Connector Server1.5.0.0

2.3. Supported Connectors to Data Resources

This section covers OpenICF connector support for data resources.

Table 2.2, "Supported Connectors" lists the versions supported for this release.

Tip

Many advanced connectors not listed in this section are also available, including connectors for IBM Resource Access Control Facility (RACF), IBM Tivoli Access Manager (TAM), SAP, a wide range of databases, as well as enterprise and cloud applications.

If you require support for a data resource connector not mentioned here, contact ForgeRock at info@forgerock.com.

Table 2.2. Supported Connectors
ConnectorVersion
CSV File Connector1.5.0.0
Database Table Connector1.1.0.1
Google Apps Connector1.4.0.0
Scripted Groovy Connector Toolkit1.4.2.0
Generic LDAP Connector1.4.1.0
XML Connector1.1.0.2
PowerShell Connector Toolkit1.4.2.0
Active Directory Connector1.4.0.0

Chapter 3. OpenICF Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations for OpenICF 1.5. For details and information on other issues, see the OpenICF issue tracker.

3.1. Key Fixes

The following important bugs were fixed in this release:

  • OPENICF-420: LDAP Operational Attributes do not get LiveSync'd

  • OPENICF-406: ldap liveSync not working using TimeStamp strategy

  • OPENICF-405: LDAP connector performs bind before TLS negotiation w/StartTLS enabled

  • OPENICF-402: need addition logging when syncToken no longer detects changes

  • OPENICF-382: LDAP connector cannot perform AD Password Change via RunAs context if pwdLastSet==0

  • OPENICF-380: LDAP connector does not handle LOCK_OUT from Active Directory

  • OPENICF-378: Cannot change trace logger to VisualBasic FileLogTraceListener

  • OPENICF-364: Unable to delimit double quotes in CSV Connector

  • OPENICF-330: OR Queries against LDAP with not-found _id values return no results

  • OPENICF-225: not operator incorrectly constructed in AD connector filter query

  • OPENICF-222: CSV Connector enters infinite loop if a records attribute value starts with (but does not end with) the configured valueQualifer

  • OPENICF-215: Spaces removed from DN during normalization if preceded by an escaped comma

  • OPENICF-188: CSV connector performances drop when file grows

3.2. Limitations

No limitations are identified for this release.

3.3. Known Issues

The following known issues remained open at the time of release:

  • OPENICF-440: Unable to update Group memberships for Google Apps Users

  • OPENICF-428: Google Connector should handle Query Filters against __NAME__ for Group object types

  • OPENICF-420: LDAP Operational Attributes do not get LiveSync'd

  • OPENICF-406: ldap liveSync not working using TimeStamp strategy

  • OPENICF-405: LDAP connector performs bind before TLS negotiation w/StartTLS enabled

  • OPENICF-403: GoogleApps Connector explicitly forces SSLv3 as the HTTPS Protocol

  • OPENICF-402: need addition logging when syncToken no longer detects changes

  • OPENICF-382: LDAP connector cannot perform AD Password Change via RunAs context if pwdLastSet==0

  • OPENICF-380: LDAP connector does not handle LOCK_OUT from Active Directory

  • OPENICF-378: Cannot change trace logger to VisualBasic FileLogTraceListener

  • OPENICF-364: Unable to delimit double quotes in CSV Connector

  • OPENICF-330: OR Queries against LDAP with not-found _id values return no results

  • OPENICF-314: 'userPrincipalName' should be updatable in .NET Connector

  • OPENICF-225: not operator incorrectly constructed in AD connector filter query

  • OPENICF-222: CSV Connector enters infinite loop if a records attribute value starts with (but does not end with) the configured valueQualifer

  • OPENICF-215: Spaces removed from DN during normalization if preceded by an escaped comma

  • OPENICF-188: CSV connector performances drop when file grows

  • OPENICF-170: XML connector scheduler reconciliation fails with premature end of file exception

  • OPENICF-88: Some attributes cannot be created in AD by contract tests.

Chapter 4. OpenICF Compatibility

This chapter covers major changes to existing functionality, and deprecated and removed functionality.

4.1. Major Changes to Existing Functionality

  • OpenIDM versions 3 and later are not compatible with the OpenICF framework version 1.1.

    If your OpenIDM deployment uses remote .NET or Java connector servers, then you must upgrade those servers to the new connector server versions.

  • With the exception of the Active Directory connector, the newer OpenICF framework is compatible with the older connectors.

    You can use the older connectors with OpenIDM 3 and later.

  • Only Active Directory connectors version 1.4 and later are supported with OpenIDM 3 and later.

    Table 4.1, "OpenIDM / OpenICF Compatibility Matrix" indicates minimum supported connector and OpenICF framework versions.

Table 4.1. OpenIDM / OpenICF Compatibility Matrix
OpenIDM VersionOpenICF FrameworkSupported Java ConnectorsSupported .NET Connectors
2.11.11.11.1
3 and later1.4 and later

Previously supported Java connectors (1.1)

Connectors listed in Section 2.3, "Supported Connectors to Data Resources"

Active Directory Connector (1.4 and later)

PowerShell Connector (1.4 and later)


4.2. Deprecated Functionality

This section lists deprecated functionality. Deprecation is defined in Section D.2, "ForgeRock Product Interface Stability" in the Connector Configuration Reference.

The following components are deprecated:

  • Support for the version 1.1 framework, connector servers, and connectors is deprecated and likely to be discontinued in a future release.

  • The File XML connector is deprecated and likely to be removed in a future release.

4.3. Removed Functionality

Support for Java 6 has been removed.

Chapter 5. How to Report Problems and Provide Feedback

If you have questions regarding OpenICF that are not answered by the documentation, there is a mailing list where you are likely to find an answer. Sign up at https://lists.forgerock.org/mailman/listinfo/openicf.

If you have found issues or reproducible bugs within OpenICF 1.5, report them using the OpenICF issue tracker.

When requesting help with a problem, include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Description of the environment, including the following information:

    • Machine type

    • Operating system and version

    • Java version

    • Connector or connector server version

    • Connector server container and version

    • OpenICF release version

    • Any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 6. Support

You can purchase OpenICF support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area.

To contact ForgeRock, send mail to info@forgerock.com.

To find a partner in your area, use the ForgeRock website.

Read a different version of :