Pre-populate adapters behaviour during role based provisioning

Hi all,
I have a question about pre-populate adapters behaviour during role based provisioning.
I'll sortly describe our architecture: we have OIM 11.1.1.3, Active Direcotry connector and obviously Active Directory as target system.
Our scenario is: assigning a role to a user , OIM should provision two account for this user to the same target system but in two different organizational unit (Active Directory).
Here some sample information to better understand our request:
- OIM User userID: userid1
- Active Directory IT Resource: ADServer1
- Active Directory Organizational Units: OU1 and OU2
- Role: Example Role
- UserID of the account provisioned in OU1: admin.userid1 (in this organizational unit the UserID is composted by a prefix "admin." and the OIM User UserID "user1")
- UserID of the account provisioned in OU2: user.userid1 (in this organizational unit the UserID is composted by a prefix "user." and the OIM User UserID "user1")
To achieve this goal, we have created two access policies AP1 and AP2. The first access policy provision the user account in OU1; while the second one in OU2.
Here some access policies form details:
### AP1 ###
- AD Server: ADServer1
- Organization Name: OU1
(other fields are empty)
### AP2 ###
- AD Server: ADServer1
- Organization Name: OU2
(other fields are empty)
Our idea was to develope two pre-populate adapter: one to compose the userID with "admin." prefix and the other one to compose userID with "user." prefix. However this solution cannot work because obviously you can link only one pre-populate adapter to a resource form field.
Any suggestion to avoid to create a second resource form?
Thank in advise,
Daniele

Hi,
probably your confusion is caused by my english....anyway....
I'm trying to generate two userids and in our scenario it's simple map the organizational units. For example userids in organizational units OU1 have "admin." prefix; while organizational units OU2 have "user." prefix.
Do you suggest to create a pre-populate adapter that use a lookup to set the correct prefix based on organizational unit name?
Thank you
Daniele

Similar Messages

  • *Dependency Pre Populate Adapters*

    Hi,
    I have two pre populate adapters on two UDF's: MyPassword & MyToken.
    I want that first pre populate adapter on MyToken should execute, only then pre-populate adapter on MyPassword field should fire.
    So that once the key is generated using encryption Algo, then as per this key an encrypted password should be generated using the key.
    I tried using an Entity adapter on pre-insert and a Rule but it is not working.
    Please help, how this functionality can be achieved. Thanks.
    Regards,
    Nitin

    Did u try ordering ?
    Thanks
    Suren

  • Display Value/Description in Lookup During Request-Based Provision

    Hello everyone! I'm currently using a lookup for a list of values during a request-based provision. I've created the request page, however, selecting the attributes isn't working the way I would like it to. For whatever reason, it's only displaying the Description or Decode value during the request. However, during direct-provisioning, I can see both, and when I choose one, the Value or Encode value is what is propagated to the OID. How can I configure my request-based lookup to show both the value and the description like it is shown during a direct provision? Here is the metadata I'm using:
    <AttributeReference
    available-in-bulk = "true"
    length = "50"
    widget = "text"
    type = "String"
    attr-ref = "UD_ULHOST"
    name = "Unix Linux Hosts">
    <AttributeReference
    name = "Host"
    attr-ref = "Host"
    type = "String"
    length = "50"
    widget = "lookup"
    available-in-bulk = "true"
    lookup-code="ULHst">
    </AttributeReference>

    Can I designate my lookup code in that, though?
    I have a lookup named LKTst with the following
    Encode Decode
    ServerA Group1
    ServerB Group1
    ServerC Group2
    Can I still reference this lookup from the query? And if so, how?
    Thank you for your help!

  • Role based provisioning - need help in access policies

    Hello experts,
    We have the following requirement
    1. If corresponding Role is not there then resource should not be allowed to get provisioned
    2. And whenever Role is present for the user then corresponding reource provisioning should get triggerred automatically ?
    Please advise whether the above could be achieved OOTB in OIM 11g ?

    875142 wrote:
    1. After configuring the access policy still we could able to provision the resource manually without the role. How do we restrict it ? What needs to be done for that ?As far as I know there's no way to stop the administrator to go to the resource profile and manually assign the resource. May be you can try some authorization policies for that. But I am not sure.
    2. We have a scenario in which we are disabling a user. This will deprovsion a resource say Retail. Then we are enabling that user again. Then ideally it should provision a new resource of Retail. But thats not happpening.Check this for it: Re: Help required with Access policy trigger on Enable User in OIM 11.1.1.5
    Also here we have selected 'Retrofit Access Policy' flag and ran the 'Evaluate user ploicy' scheduled task but we could n't see any changes because of that.Retrofit Flag- If it is set to true, then all the users who already had a Role (before access policy was created) will also get evaluated. If set to false, then only newly added users to the role will be evaluated for access policy. What is the status of the resource when you disable the user the first time?
    -Bikash

  • Pre-populate the process form as part of Role Alignment - Need suggestion

    Hi,
    As part of implementation we are going to take over the Provisioning of AD (Via Groups-->Access Policy) using OIM which was initially configured to provision manually. Now as part of migration we required to assign a base group to the users who has already AD reconciled resource (and align it with policy via SQL updates -->POL_key is process form, OIU_POLICY_BASED in OIU table). We are doing this as part of direct SQL updates. The other part of the requirement to align the process form values using the configured pre-populate adapters (for e.g. if the current value of any attribute is X and the prepopulate adapter suggest that it should be Y then the migration should also update this attribute.) We tried to use the prepopulateProcessForm API of tcFormInstanceOperationsIntf but it seems this is working only when the System Validation is in Pending state. The other option we are thinking of putting java code and then call the prepopulate adapter by passing each input params and updating tha value via API if any update is required. Just wondering if there is anything else we can use as part of bext practices. If anyone has done this kind of implemntation please let us know your inputs. Thanks

    Hero,
    You want to ...
    1. create users
    2. give them privileges
    3. assign them to groups
    4. assign a default groups to users
    You will need to do this in the following sequence of steps...
    1. Populate the user entries in OID, and assign the default group
    2. Create the groups in OID and assign the users to them
    3. Assign the appropriate portal privileges to the groups
    For step 1 and 2, I'll have to refer you to the OID Administrator's Guide for Release 9.0.2.
    This document contains a lot of good information, but in particular, you'll want to review Appendix I ...
    "Migrating User Data from Application-Specific Repositories". This addresses the LDIF migration tool
    and describes the schema elements needed for the IAS user accounts.
    For step 3, the easiest way would be to assign the privileges to the groups through the user interface. Once the groups are defined
    in OID, you can select them via the Portal UI to assign the portal privileges to them.
    The proper place to locate portal instance-specific groups is under the portal instance group base, which is
    cn=portal_groups, cn=groups, <subscriber_base>. The following white paper
    may be helpful to understand the organization of the directory information tree.

  • Pre-Populate adapter for Oracle connector

    Hi ,
    We are using OIM to manage Oracle and AD users. I have a requirement to provision users to both the target system , For AD connector, predefine pre-populate adapters are available for populating login id , first name , last name etc…from OIM user form, but in case of Oracle I didn’t see any such pre-populated adapter. How can I populate a value in the Person_uid field for the oracle user what ever the value will given in the OIM user form.Should i need to write any custom code for pre-populate adapter.
    Version details
    OIM – 9.1.0.1
    Oracle Connector 9.1
    Regards,
    Poorna

    I hope that Kevin has explained but I am writing once again for your convenience
    Create an adapter of type pre-populate
    Add a variable, X, of type String and set the Map To to Resolve at Runtime.
    Add a logical task SET VARIABLE.
    Map Adapter Return value with variable X
    Compile the adapter
    Just attach this adapter with your fields on process form and map the variable with User Definition Fields like first name, last name etc.
    It will work for you but keep in mind that it will populate String Fields of User Definition.
    For Date and other fields you have to create a similar adapter

  • Pre populate adapter not working properly on one of the managed server

    Hi,
    We have two managed servers for OIM 10g. A load balancer has also been installed for directing the traffic on to these two servers i.e. z1 and z2. So whenever, the request is redirected to z2 server, pre populate adapters for AD and ACF2 resource provisioning fails. The same is working perfectly when the request goes to z1 server.
    We checked the below logs but didnt find any fruitful outcome.
    1. xellacf.log-- log file for ACF2
    2. xellAD.log-- log file for AD
    3. xell.log
    Please help us out. Let me know if you need any other information.
    Any inputs would be highly appreciated.
    Thanks,
    Garima

    have you uploaded jars in DB using UploadJar utility? verify same in OIMHOME_JARS under OIM schema.
    Provide the detail error log <OIM_DOMAIN>/servers/oim_server2/logs/oim_server2.log and diagnostic log as well
    --nayan                                                                                                                                                                                                                                                                                                                                                                                                                                                           

  • Pre-Populate AD Groups upon Provisioning of AD User

    I've been trying to figure out how to auto-populate groups in AD for users based on a single attribute in the OIM User Profile.
    For example, if a user's geographic code on the OIM User Profile is TX and he has an Administrator title, then I want that user to be added to the TEXAS USERS and the TEXAS Administrators group.
    How do I do this without using the Access Policy/Role configuration, but through adapter/lookup/triggers upon the provisioning of the AD account?
    I have adapters that now pre-populate single-valued attributes and lookup table values. However, it doesn't look like the multi-valued attributes work this way.
    Any ideas or references?
    Thanks!

    instead of pre-populate adapter write process task adapter through which you can populate all the required AD Groups on Child form using OIM API. attach this task on the success response of Create User task
    multivalued attribute you can't prepopulate using design console mapping you have to write your own code.
    follow the below steps
    1. create process task adapter pass(Process Instance Key, User Definition->Graphic code,User Definition->title)
    2. using API populate AD groups in AD child form based on condition. use below API
    tcFormInstanceOperationsIntf.addProcessFormChildData();
    3. create a task under "AD User" process def and integrate above adapter. map process data->process instance and other User Definition attributes which will decide what groups has to be given
    4. attach this task on the success response of Create User Task
    find API detail at below link
    http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_904/doc_cd/javadocs/operations/Thor/API/Operations/tcFormInstanceOperationsIntf.html#addProcessFormChildData%28long,%20long,%20java.util.Map%29
    --nayan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • OIM 11.1.1.5 provisioning role based objectclasses and attributes

    TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
    Some background:
    I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
    My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
    Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
    Should I create a child form containing the objectclasses and try to provision them?
    Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
    Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
    Any help will be greatly appreciated and thank you in advance

    It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
    Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
    There may be a smarter and more out of the box way to do it but this will work.
    Martin

  • Pre-Populate group membership details while provision

    Hi,
    We are using AD Connector 9.1.0.1 to provision OIM user to ADAM.
    While provision I need to pre-populate group membership details of user like other user attributes.
    Is it possible to do this using pre-populate adapter; if so then please provide us details to do this or is there any other approach to achieve this?
    -Hardew

    Can you explain the FormInstanceOpsIntf piece in a little more detail? I'm having a similar issue as the other two posters above, except mine is with OID.
    1) So focusing first on just creating the adapter...
    a. Create a new adapter of type Entity.
    b. Create the adapter variables here???
    -> Three variables of type long, and one of type object???
    c. Add an adapter task
    -> Type: Utility Task -> Oracle Identity Manager Api
    -> New Object Instance
    -> Task Name: <not important>
    ??? (is this correct) -> Application API - Thor.API.Operations.tcFormInstanceOperationsIntf
    ??? (is this correct) -> Methods - 17. public abstract long Thor.API.Operations.tcFormInstanceOperationsIntf.addProcessFormChildData(long,long,java.util.Map)
    d. Complete the Parameter Data Mapping
    -> Input: long - ??? (what to map here?)
    -> Output: long - ??? (what to map here?)
    -> Input: long - ??? (what to map here?)
    -> Input: java.util.Map - ??? (what to map here?)
    2) After the adapter is created, I will look up the "OID User" form in the Data Object Manager, and add the adapter I created under "Post-Insert".
    Thanks!

  • How to Pre-Populate the user information during Assign Task operation

    Hi ,
    I have a requrirement to Pre-Populate the form fields (Name, Email, Phone etc...) when a task is assigned to a user. The users are dynamically assiged, so I am using the Find User and the Assign Task services to locate and assign the task to the user. Since I have a User variable that is a result from the Find User operation, I was hoping to retrieve the user information with the attributes of the User type.
    I tried to use the Set Value service to set the form field (Email) with the email attribute of the User object type i.e.
    /process_data/MyForm/object/data/xdp/datasets/data/Form/User/Email   ->  /process_data/facilityAuthority/object/@email
    However I get the following error when I try to do this - com.adobe.idp.dsc.util.InvalidCoercionException: Cannot coerce object: [[email protected] of type: [B to type: interface org.w3c.dom.Document.
    Is it possible to retrieve the user information from the User object? If so how do I get the values for the User attributes (Name, Email & Phone etc...) so that I can populate them in the form?
    Thanks,
    Samanthapudi

    Hi Han Dao,
    If you are facing an exception of the form "com.adobe.idp.dsc.util.InvalidCoercionException: Cannot coerce object: [[email protected] of type: [B to type: interface org.w3c.dom.Document.", It is because the system is trying to cast a Byte Stream into w3c Document and failing. To resolve this we can explicitly cast this byte stream to appropriate data type (String in previous example). To do so we can use a SetValue operation.
    As an example
    Setting
    /process_data/MyForm/object/data/xdp/datasets/data/Form/User/Email   -> /process_data/facilityAuthority/object/@email
    results in the exception
    so we can modify it to
    /process_data/MyForm/object/data/xdp/datasets/data/Form/User/Email   -> string(/process_data/facilityAuthority/object/@email)
    Please let me know if this does not resolve your issue.
    Thanks

  • Develop pre-populate adapter in request dataset in OIM 11G

    Hi Friends,
    I have a field say UD_TEMP_FORM_FIELDA on the process form which is going to be populated based on the value of a field SAY UD_TEMP_FORM_FIELDB on the request dataset.
    So my request dataset will have only one field which is UD_TEMP_FORM_FIELDB.
    And my process form will have two fields UD_TEMP_FORM_FIELDA and UD_TEMP_FORM_FIELDB.
    And I developed a pre-populate adapter on the process form to populate UD_TEMP_FORM_FIELDA field based on the value of UD_TEMP_FORM_FIELDB during provisioning. But pre-population is not at all getting triggered during provisioning. I believe I need to put UD_TEMP_FORM_FIELDA also on the request dataset and pre-populate its value in request dataset itself and pass the value from request data set to process form. Is this correct?
    If so, as per the documentation, we need to create a request dataset with pre-pop adapter in the below format.
    <AttributeReference name="Domain" attr-ref="domain" available-in-bulk="true" type="String" length="20" widget="text">
    <PrePopulationAdapter classname="oracle.iam.request.DomainPrepopulateAdapter"/>
    </AttributeReference
    As we are specifying only the class name in the above statement,
    1) How to pass the value of UD_TEMP_FORM_FIELDB to this class.
    2) Which method in the class will execute
    3) How to Registert this class.
    Can you please provide me some steps/urls for the above requirement?
    Thanks,
    Mike

    Hi Nishith,
    Thanks for your response.
    As per my requirement I am going to keep UD_TEMP_FORM_FIELDA (Group Owner) and UD_TEMP_FORM_FIELDB (AD Group Name) in the child forms and I am going to use the below pre-populate adapter code to get the value for UD_TEMP_FORM_FIELDA based on value of UD_TEMP_FORM_FIELDB.
    My question is:
    If I raise a request with only one value in the child form, then the below code will code work. But, If I add more than one value say AD groups in the child form while raising a request, this code is going to retrieve same owner value for all AD groups as it will go by FOR loop.
    How to pre-populate the individual owner for the individual AD group given in the child form? Please let me know.
    public class PrepopEBSRespValue implements PrePopulationAdapter {
    public Serializable prepopulate(RequestData requestData) throws RequestServiceException,
    tcAPIException,
    tcInvalidLookupException,
    tcColumnNotFoundException {
    List<Beneficiary> beneficiaries = null;
    List<RequestBeneficiaryEntity> benEntities = null;
    List<RequestBeneficiaryEntityAttribute> benAttrs = null;
    String ownerValue="";
    beneficiaries = requestData.getBeneficiaries();
    if (beneficiaries != null && !beneficiaries.isEmpty())
    for (oracle.iam.request.vo.Beneficiary beneficiary : beneficiaries)
    benEntities = beneficiary.getTargetEntities();
    if (benEntities != null && benEntities.size() > 0)
    for (oracle.iam.request.vo.RequestBeneficiaryEntity benEntity : benEntities)
    benAttrs = benEntity.getEntityData();
    if (benAttrs != null && benAttrs.size() > 0)
    for (oracle.iam.request.vo.RequestBeneficiaryEntityAttribute benAttr : benAttrs)
    if(benAttr.hasChild())
    java.util.List <oracle.iam.request.vo.RequestBeneficiaryEntityAttribute> list = benAttr.getChildAttributes();
    java.util.Iterator iterator = list.iterator();
    while(iterator.hasNext())
    oracle.iam.request.vo.RequestBeneficiaryEntityAttribute attribute =(oracle.iam.request.vo.RequestBeneficiaryEntityAttribute)iterator.next();
    String attrName=attribute.getName();
    if (attrName.equalsIgnoreCase("Owner"))
    String lookupName="Lookup.Owner.values";
    System.out.println("Getting decoded value for the given code key..");
    String attrValue=attribute.getValue().toString();
    HashMap searchcriteria = new HashMap();
    searchcriteria.put("Lookup Definition.Lookup Code Information.Decode", attrValue);
    Thor.API.Operations.tcLookupOperationsIntf lookupIntf=Platform.getService(Thor.API.Operations.tcLookupOperationsIntf.class);
    tcResultSet result = lookupIntf.getLookupValues(lookupName,searchcriteria);
    for(int i=0;i<result.getRowCount();i++)
    result.goToRow(i);
    ownerValue = result.getStringValue("Lookup Definition.Lookup Code Information.Code Key");
    System.out.println("Decoded Value::"+ownerValue);
    return (Serializable) ownerValue;
    }

  • Renumbering with ACL-Friendly Role-Based Addressing or...?

    We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
    As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
    Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
    From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
    Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
    Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
    Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
    Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
    Thanks in advance for your ideas!
    -Aaron

    Hi David,
    Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
    My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
    If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
    We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
    Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
    If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
    If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
    Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
    One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
    May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
    Rajesh

  • Pre-populate a multi-valued attribute on target?

    Hi. I am working on pre-populating our I-Planet target resource with data we are storing in OIM User(Address data). it is a requirement by the AD group to store the data as a multi-valued attribute in the LDAP attribute postaladdress. I have tried setting up the resource form to use a pre-populate adapter to populate each line of the address, but I can only add the adapter once for the attribute. Any ideas on how to do this with a pre-populate adapter?
    rkimbal45

    You will probably need to write your own custom code to connect to your ldap directory and perform any actions needed when the field is updated. So you'll need a pre-populate to fill in the date with some sort of delimiter. Then on provisioning, you'll want to trigger this task after the create user. Then when any updates are performed, you'll need to completely refresh the multivalue attribute in the target. I would suggest one function to be called in your custom code, then query ldap for what exists, and parse your data for any updates neccessary, and then do as needed based on what exists and what needs to be added/deleted/updated.
    -Kevin

  • Generating Manager field in OID by using Pre-populate Adapter

    Hi All,
    I created a pre-populate Adapter that uses First name and Last name of user and add the manager field to OID during provisioning.
    But during provisioning i am getting Naming Exception.
    This is what i found in JBoss application server.
    09:30:58,828 INFO [STDOUT] Running CONCATENATEVARS
    09:30:58,828 INFO [STDOUT] Target Class = StringUtil
    09:30:58,921 INFO [STDOUT] Running CONCATENATEVARS
    09:30:58,921 INFO [STDOUT] Target Class = StringUtil
    09:30:59,640 INFO [STDOUT] Running GetTargetAttributeMapping
    09:30:59,703 INFO [STDOUT] Running GetProcessData
    09:30:59,859 INFO [STDOUT] Running SHOULDUSEXLORG
    09:30:59,875 INFO [STDOUT] Target Class = java.lang.Boolean
    09:30:59,875 INFO [STDOUT] Running SHOULDUSESSL
    09:30:59,875 INFO [STDOUT] Target Class = java.lang.Boolean
    09:30:59,875 INFO [STDOUT] Running CREATEUSER
    09:31:00,203 INFO [STDOUT] Target Class = com.thortech.xl.integration.OID.tcUtilOIDUserOperations
    09:31:00,250 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.tcUtilOIDUserOperations:tcUtilOIDUserOperations(s,s,s,s,s,o,o,b): are sServ
    sPort = 3060, sPrincipalDN = cn=orcladmin,
    09:31:00,281 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:tcUtilLDAPOperations(): Login Variables are:: are
    = cn=orcladmin, sProviderURL = ldap://192.168.109.140:3060,
    09:31:00,281 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.tcUtilOIDUserOperations:createUser(S,S,S,S,S): are sContainerDN = cn=users,
    ER8,
    09:31:00,343 INFO [OID] com.thortech.xl.integration.OID.util.tcUtilLDAPOperations : connectToAvailableOID() : SSL option is not selected in ITResource
    09:31:00,359 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.tcUtilOIDUserOperations:formatOrgDN(s,s): are sOrgDN = cn=users, sRootDN =
    09:31:00,359 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.tcUtilOIDUserOperations:isObjectExists(S,S): are sContainerDN = cn=users,dc
    09:31:00,375 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:search(S,S,b,S[]): are pSearchBase = cn=users,dc=
    09:31:00,390 INFO [OID] Parameter Variables passed into com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:createObject(S,A): are pObjDN = cn=TESTUSER8,cn=u
    [email protected],
    09:31:00,515 ERROR [OID] ====================================================
    09:31:00,515 ERROR [OID] ERROR in OID:com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:createObject(S,A) NamingExceptionUnable to create object
    09:31:00,515 ERROR [OID] ====================================================
    09:31:00,531 ERROR [OID] ====================================================
    09:31:00,531 ERROR [OID] cn=TESTUSER8,cn=users,dc=orademo,dc=com: [LDAP: error code 34 - Invalid DN Syntax]
    09:31:00,546 ERROR [OID] ====================================================
    09:31:00,546 ERROR [OID] ====================================================
    09:31:00,562 ERROR [OID] ERROR in com.thortech.xl.integration.OID.tcUtilOIDUserOperations:createUser(S,S,S,S,S) NamingExceptionError while connecting to target
    09:31:00,562 ERROR [OID] ====================================================
    09:31:00,578 ERROR [OID] ====================================================
    09:31:00,578 ERROR [OID] com.thortech.xl.integration.OID.util.tcUtilLDAPOperationsUnable to create objectNamingExceptioncn=TESTUSER8,cn=users,dc=orademo,dc=com: [LDA
    09:31:00,578 ERROR [OID] ====================================================
    09:31:00,593 ERROR [OID] ====================================================
    09:31:00,593 ERROR [OID] com.thortech.xl.integration.OID.util.tcUtilLDAPOperationsUnable to create objectNamingExceptioncn=TESTUSER8,cn=users,dc=orademo,dc=com: [LDA
    09:31:00,609 ERROR [OID] ====================================================
    Can anyone help me to come out of this.
    Thanks & Regards,
    Rajesh.

    Hi Rajiv,
    I am generating the value to the manager field in OID.I found this value getting generated in the OID user form.But this value is not provisioning during provisioning the user.
    In the OID Configuration Lookup table i found the manager is mapped to ldapManager.But when i connected to OID through ldap browser i didn't find this attribute.The manager attribute is not there.
    So can you help me to solve this.
    Thanks & Regards,
    Rajesh.

Maybe you are looking for

  • When I do a select query, using DB Toolkit, I get less data than I expect

    I run a select query and I want to get test number 271 and above.  The data that is returned begins with test 273 instead.  If I do a query in Access I can see that tests 271 and 272 are in the database.  What can I do to get the right data? Charlie

  • Dba alert monitor

    Hi, I transferred sap mssql database one disk to another .My problem is after moving database another disk, space manager still shows the old drive in tcode dbacocpit. the screenshot is http://imageupload.org/?d=4DAED5021. thanks for your reply. Rega

  • Netweaver Developer Studio 6.20/6.40

    Hi all, Please tell me Where can i get to download Netweaver Developer Studio 6.20/6.40. I checked in SAP service market place.But I didnt find any. regards, chandu.

  • Reg :  vo.writeXML() how to filter the data before generating the xml data

    Hi team, I have table region with multi selection option. My requirement is to fetch the data and generate the xml data for the selected rows. By using : writeXML() --> it is fetching all the data. What are the methods i need to use,so i can fetch on

  • T61p will not power up after BSOD/shutdown (sometimes...)

    In the last couple of days, my T61p has exhibited bizarre "Power" behavior. Yesterday and today, after a BSOD, it would shutdown and get stuck in a loop trying to reboot so I had to to a hard shutdown using the power button. After that, the Power but


HashFlare