OIM 9.1 AD Account Provisioning

Similar Messages

• OIM 11g r2 disabling multiple account provisioning

  Hello all,
  I have a question, in oim 10g and 11g, on resource object there was a "allow multiple" checkbox.
  So you could configure your resource if you want to prevent it from multiple provisioning.
  But in 11gr2 I cannot see that checkbox.
  How can i configure my resource as it is going to disable multiple account provisioning?

  Is there anyone who can help?

• OIM 11g R2 - Transferring accounts from one user to another user

  Hi,
  In OIM  11g R2,we have a requirement that we need to transfer accounts from one user to anothe user.For example,an user "User1" has AD and Exchange Accounts provisioned.Now we wanted to to transfer these AD and Exchange accounts to another user "User2".May I know how this can be done ?.Thanks

      public void moveAccount(){
          try {
              long newUser = xxxxx;
              long oiuKey = xxxxxx;
              userIntf.changeToServiceAccount(oiuKey);
              userIntf.moveServiceAccount(oiuKey, newUser);
              userIntf.changeFromServiceAccount(oiuKey);
          }catch(Exception e){
              e.printStackTrace();
  -Kevin

• Service account provisioning

  Hi all,
  I have read in the documentation(Design Client) that OIM connector provides different prvisioning process for Service account (there are alltogether separate tasks for these accounts under process definition) and Normal account for each target resource. Could any one please elaborate me how to process service account provisioning (if there is any difference) as there is no documentation stating underline.

  Hi ,
  I am having the same concern. I want to implement service account management through OIM ,OOB AD connector provides by default tasks to handle service account scenerio. Please provide the suggestion regrding the implementation of service account provisioning, if there is any document related to it, will be quite helpfull.
  Thanks
  Edited by: user8634889 on Sep 15, 2009 11:09 PM

• Extend Provisioning (from OIM to OID) for already provisioned resources

  We use OIM 9.1.0 to provision users to several target systems, for example OID. Not all information stored for a user in OIM is also provisioned to OID (for example department or location or phone is only stored in OIM). The provisionig task automatically is created via access policys.
  This works fine.
  Now we want to provision some more data (including department and location) to OID. So I changed the oid connector configuration to also provision these fields. This works fine for new users (which are not already provisioned to oid).
  But we also need these additional fields in OID for users which have already been provisioned in the past. How can this requirement be implemented? Is there a way to resubmit these provisiong tasks oder to automatically update the process form.

  Create a schedule task which will read the data from OIM User Profile and update the process form using tcFormInstanceOperationsIntf OIM APIs.
  Also create their Label Name updated task in OID Workflow (Process Defintion)

• AD Account Provisioning

  When I try to provision an AD account to an OIM user, the process task "System Validation" status says "Pending". I have tried this many time, for multiple users. Same response. The process does not go beyond System Validation.
  I can edit the "Process Form" for the request and I see that the field "Domain" is empty. This corresponds to the IT Resources Field in my form. IF I lookup for whats available, I see my IT Resource "Local AD". I select it and click save. Nothing happens. The form does not save.
  what could be wrong here ?

  Do you have another non-conditional task on your provisioning process, like the Create User task?
  As for System Validation starting out pending, this happens if you do not have your provisioning process definition set to Auto-Save. You also must make sure to populate all required fields.
  -Kevin

• How to solve the dn collision in AD during AD account provisioning

  Hello,
  I have multiple users with the same last name, first name and middle name.
  We decided to build the full name using the rule:
  lastName, firstName
  OR lastName, firstName# (if the lastName, firstName already exists, add a number and the number just get incremented as needed).
  OR lastName, firstName MiddleInitial (if exist middleName exists for user)
  I wrote the code to prepop the FullName field in the AD process form and the code works fine.
  But when OIM is trying to create the AD account, I got the error:
  In the Create User, rejected task:
  Response: AD Invalid data error
  Response Description: Could not create user as the formed account name contains special characters
  The log file showed:
  ERROR,16 Jul 2011 17:19:02,018,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::createObject():[LDAP: error code 80 - 00000057: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
  ^@]
  ERROR,16 Jul 2011 17:19:02,018,[OIMCP.ADCS],Invalid Data Error encountered
  Invalid Data:[LDAP: error code 80 - 00000057: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
  The full name in the AD process form has the value: Garcia Jose C2
  That means AD does not like the full name to contain a number?
  How can I fix this problem because we have a lot of dn collision in the same OU?  We would like to guarantee uniqueness of dn across the domain.
  Thank you.
  Khanh                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  Hi,
  You can try making an LDIF file with a example name that you would produce, then, on Windows, try using ldifde.exe to import that LDIF file into the AD, and see if it gets you an error. That would tell you whether or not AD is willing to accept the name format you're trying to use.
  Jim

• OIM 11g r2 Exchange connector provisioning is not working

  Hi,
  I have created one user in oim and i have provisioned this user into AD successfully.
  after that i have tried provision same user into Exchange but the user provisioning status is shows "*waiting*" and provision date also shows wrong.
  Please any body help me on this issue..
  Thanks,
  Venu

  Exchange goes to waiting status when AD is not listed in user's resource profile as Provisioned. Check whether AD is properly provisioned. It is better to always create a new process task before 'Create User' in Exchange resource object which checks whether AD is already provisioned for the user. Then this problem can be avoided.
  Also when there are multiple AD resource object instances in user's resource profile and even one of that instance is in Provisioning status, Exchange goes to waiting status
  Edited by: Durgaprasad on Mar 5, 2013 6:43 AM

• OIM 11Unknown entity type Account with ID while using linkEventToUser() API

  I would like to link an recon event (which is in status "No User Match Found" ) to an user.The recon event is generated through target recon using reconciliation API
  I am using the API linkEventToUser() but getting the following error.
  <Error> <oracle.iam.reconciliation.impl> <IAM-5010000> <Generic Error/Information: {0}
  oracle.iam.reconciliation.exception.InvalidEventException: Unknown entity type Account with ID 2180,060
  From OIM web console if i check the Link button / option iin event management for this event is greyed out.
  There are already threads on this in the forum but they are old and no replies so i thought to post a fresh thread.
  I am also getting the same error while generating a new recon event.
  The strangest part is that this was working a few weeks back.
  Any help or idea how to proceed is highly appreciated.
  Thanks and Regards,
  Kungo.
  Edited by: Kungo on Oct 25, 2012 3:06 AM

  Any one saw this thread :)
  Is there a way to get attention on this thread from all the Gurus on this forum ?
  Please do let me know.
  Thanks and Regards,
  Kungo

• OIM 11.1.1.5 provisioning role based objectclasses and attributes

  TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
  Some background:
  I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
  My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
  Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
  Should I create a child form containing the objectclasses and try to provision them?
  Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
  Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
  Any help will be greatly appreciated and thank you in advance

  It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
  Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
  There may be a smarter and more out of the box way to do it but this will work.
  Martin

• OIM 11gR2 - AD Organizational Unit provisioning

  hi,
  i can provision OIM organization to AD Organizational Unit. Its work fine with "Provision Resource to Organization" forms but i can't find any simple way (without six steps form) to add AD organizational unit to OIM organization.
  Have you any suggestion or hint?
  a.

  Hi IDM Newbie,
  Please find the link of Developer Guide:-
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/toc.htm
  And following link is for Application Instances:-
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/resmgt.htm#CBBFAIEC

• OIM 11gR2 - Push/Pull account locked out information from Active Directory

  Hi
  At this moment, we are using the default reconciliation method from the Active Directory Connector in OIM 11G R2 to fetch incremental information from AD. This runs every 15 minutes.
  However, the customer complains that the time from which the user gets himself locked out due to too many failed login attempts, until it shows up on the OIM account is too long. Worst case, this could be 15 minutes after the user gets himself locked out.
  Do anyone have any tips on how we could either push this information from AD-side, or pull this information from OIM more often? Could we create a special scheduled job that just looks for Locked Accounts, and reconciles this each minute?
  Best Regards
  lloberg

  Hi,
  Sure, that's definitely possible. You can use the Active Directory cmdlets to retrieve this information. Here's an example of reading input from a text file (just usernames in the text file):
  Get-Content .\userList.txt | ForEach {
  Get-ADUser -Identity $_ -Properties EmailAddress
  You can also read input from a CSV file quite easily. This example assumes a header of Username:
  Import-Csv .\userList.csv | ForEach {
  Get-ADUser -Identity $_.Username -Properties EmailAddress
  Finally, here's a link to the Get-ADUser syntax:
  http://technet.microsoft.com/en-us/library/ee617241.aspx
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)

• OIM 9.1.0.2 provisioning privilege configuration?

  Hi there,
  I've set up an access policy to provision users of a certain employee type/role to an Oracle DB.
  However, (a) when I create said user, no provisioning seems to occur.
  (b) I'd like to adapt the provisioning so that it grants connect privilege and some other privileges to users of this type.
  If I provision the user manually, they are created in my DB fine.
  Any help given gratefully received.
  Go well, Hugh
  Edited by: 2hughg on 09-Feb-2011 05:52

  Which group you have attached with Access Policy ?
  Have you created membersip rule for that group ?
  Access Policy always works with Group. Just givemembership to newly created user into Group which is attached with Access Policy and see what happens.

• OIM 9.1.0.2 provisioning privileges for user?

  Hi there,
  I can provision users to my DB. Great.
  However, if the user then logs on to the DB, they are rejected because they do not have connect privileges.
  How can I set up my provisioning so that the user is not only created in the DB, but also granted basic privileges that allow them access DB features?
  All the best, 2Hugh

  I am using the Standard Connector.
  The question is how do I use it?
  The tasks described below were performed in the Design Console as xelsysadm.
  I have opened the process Database Access Oracle User and ticked the auto-prepopulate and Autosave form.
  I've set up a pre-populate rule that calls this process and refers to the resource object called Database Access Oracle User RO. It only fires if the user created is in group Oracle.
  I've opened Form Designer and created a new version of UD_DB_ORA_U (Database Access Provisioning form for Oracle User). Within the pre-populate tab of this form, I've added pre-populate entries for username, password and IT resource.
  In the child tables tab under the UD_DB_ORA_U form, the roles and privileges tables are present.
  However, I can not see how I can configure these so that they get pre-populated with the other user pre-populate entries (IT resource, username and password).
  Any help with my impasse much appreciated.
  Thanks,
  2Hugh
  Edited by: 2hughg on 16-Feb-2011 07:31

• OIM 11.1.2 AD Provisioning problem

  I added custom fields for AD resource. Reconciliation and create(create a new user into the target system with the custom attributes) operations works successful.
  I try to update custom attributes and not update into the target system.
  Thanks.

  The custom attributes is created in AD Form not in USR definition.
  I already added the attribute in the provisioning lookup.
  I tried your procedure and it did not work
  In the Resource History not displays the Task of the extended attribute.
  The logs no displays any errors.
  Thanks.