About password synchronization in OIM11g

Hi all i have done password policies in oim11g but now i'm trying for password synchronization but i dont know how to proceed so plz give me information and link/materials for this topic .
Thanks in advance for quick response.

download Password sync connector(MSFT_PSync_91150.zip ) from below link
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
extract it and follow the connector doc for installation and configuration steps.
--nayan

Similar Messages

Password Synchronization Connector Installation

Hello friends,
About Password Synchronization Connector, my query is:
You can install this connector, with a different user account with administrator account used to start the server in Active Directory.
thanks

Another query, this has to be used in the installation of the connector, in addition to the permit program should install another permit what should you be assigned in the Active Directory?
Thank you for responding, there is some documentation that specifies your claim.

SAP ECC 6.0 / Active Directory Password synchronization

Hello,
We have a need to synchronize our users Windows passwords (AD) to our SAP systems (ECC 6.0, BW 3.5, and SCM 5.0). We do not use CUA and currently do not use a Portal and are not looking at doing SSO. We simply want to have one repository (AD) that will manage passwords for our Windows apps as well as our SAP systems. So far, we have not found a way to do this. SAP Note 603208 says this kind of synchronizing is not possible due to encryptions, among other things. However, we did find a white paper that stated the following:
~snip
<i>The Management Agents delivered with MIIS generally support password management: <b>they can take a password from some source (either from a user password change from the Windows interface, or from a self-service web-based password reset interface) and can set the same password in the various connected systems</b>. The Management Agent developed by Oxford is no exception. To change a password in an R/3 System the Susr_User_Change_Password_Rfc function can be used, but this is only possible if the old password is known and the SAP system allows the password change for this user. In cases where the old password is not known (for example the setting of an initial password) the password can be reset using the BAPI_User_change function.</i>~snip
Does anyone have any information on how we can achieve the password synchronization between Active Directory and Abap-based SAP Systems?
I very much appreciate your time and help.
Paul

Paul,
You can achieve this using "common authentication". Since Active Directory uses Kerberos, if you allow your SAP systems to support Kerberos authentication as well, then you will be able to logon to Windows workstation, and use the Kerberos credentials issued by Active Directory during this logon to log the user onto SAP.
This is common, and easy to acheive. You need to use the SNC capability which is provided in SAP GUI and also in SAP ABAP engine, and you also need a GSS-API library for both workstations and for the SAP servers that implements the Kerberos protocol. If your SAP server is running on Windows Servers then you can get this GSS-API library from SAP, but if (like many companies) you are running SAP ECC, BW, SCM etc. on UNIX or Linux servers then you need to license a third-party product which provides the GSS-API library etc. I represent a vendor (CyberSafe) that provides this exact product, but you can also find other vendors by looking on SAP partner website, under SNC certified products list. If you want to find out more about our product, please ask me offline by getting my email address from my business card.
I hope this helps. Of course, if there are any questions for me related to this which are appropriate for public viewing then please ask them via this forum instead of via email.
Regards,
Tim

Password synchronization between OID and AD - 10.1.2

Hi,
I've some questions about the following issue:
I've tried to setup the password synchronization between OID 10.1.2 and active directory, with the intent of exporting ldap users from OID to AD..
Well, the bootstrap gone fine, but when I tried to activate the export of password in the activexp.map configuration file,
I've obtained this:
*Writer Thread - 0 - [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0*
for each entry I tried to export...
I've opened a SR on metalink and I've received the following answer:
_" As shown by the synchronization profile, currently you have a mapping for the password from OID to AD._
_userpassword: : :person:unicodepwd: :person:_
_According to the documentation, password synchronization requires the directories to be configured for SSL mode:_
    _http://download-uk.oracle.com/docs/cd/B14099_12/idmanage.1012/b14085/odip_actdir003.htm#CHDEFIED_
_18.3.2.8 Synchronizing Passwords_
_You can synchronize Oracle Internet Directory passwords with Active Directory._
   _You can also make passwords stored in Microsoft Active Directory available in Oracle Internet Directory._
   _Password synchronization is possible only when the directories run in SSL mode 2, that is, server-only authentication."_
The SSL setup is the only way to achieve this, or there's another alternative?
Thanks

Yes. It needs to be in SSL.
http://download-uk.oracle.com/docs/cd/B14099_12/idmanage.1012/b14085/odip_actdir003.htm#CHDCJHHB
Some excerpts:
Active Directory Connector uses SSL to secure the synchronization process. Whether or not you synchronize in the SSL mode depends on your deployment requirements. For example, synchronizing public data does not require SSL, but synchronizing sensitive information such as passwords does. To synchronize password changes between Oracle Internet Directory and Microsoft Active Directory, you must use SSL mode with server-only authentication, that is, SSL Mode 2.
-shetty2k

Issue with GPO "WSE Group Policy Password Synchronization"

When I started my migration of SBS2011 to 2012r2 with essentials service I noticed this GPO appear which I assume is for passwords to be synced to the cloud however when I implemented group policy from essentials the dashboard crashed and the typical
GPO's that it creates weren't there and only the folder-redirection was present it was also blank so I deleted it (I didnt delete the GPO "WSE Group Policy Password Synchronization" )
I then re-launched the dashboard and ran through the process again, it worked what a treat! except the GPO for "WSE Group Policy Password Synchronization"
appears to be blank, I remember it pointing to a ps file but I dont know what ps file and how to recreate it, along with to confirm what it does. Sadly I have no GPO backup to go back to.
any help on this would be much appreciated
Cheers

Hi,
à
however when I implemented group policy from essentials the dashboard crashed
Based on your description, I understand that Dashboard crashed when implemented group policies (some WSE Group
Policy).
àthe typical
GPO's that it creates weren't there and only the folder-redirection was present it was also blank so I deleted it (I didnt delete the GPO "WSE Group Policy Password Synchronization")
Did you mean that deleted the ‘WSE Group Policy Folder Redirection’? Would you please let me know whether do
any operation for the ‘WSE Group Policy Password Synchronization’? Meanwhile, please check if other WSE Group Policy also was
No Settings defined in Settings tab (as your ‘WSE Group Policy Password Synchronization’ picture showed).
àSadly I have
no GPO backup to go back to.
Please start a BPA scan and check if find relevant issue. If no GPO backup, it seems that not be able to help
us to restore group policy objects. By the way, did you have a Full server backup?
If anything I misunderstand or any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu

Password Synchronization from OIM to target systems

Hi All,
Is there any OOTB functionality in OIM9.1.0.1 for password synchronization.
I have a user with multiple IT resources provisioned into his account. Now whenever user changes his password in OIM, I want that to be updated on particular target system which user selects. For ex. If a user has 5 IT resources configured and whenever he changes his password that has to be updated on only 3 IT resources and not all.
As per my understanding each IT resource configured will have some process task for updating the password on target system(Password Update in case of iPlanet resource) which will be triggered if an entry for this is present in USR_TRIGGERS. If I use this kind of approach it will update on all IT resources.
How can I make this dynamic so that the changes are done only to a list of specific IT resources selected by user.
Thanks & Regards,
Mahantesh

There is no OOTB functionality for the end user to decide which resources get their password changed and when. The OOTB functionality lets you use the Lookup.USR_PROCESS_TRIGGER to define which USR table fields have triggers configured for modification. Then you can create the task associated with the field in any provisioning process definition to insert that task when the field changes.
If you want the user to be able to pick and choose which fields get propagated to which targets, it becomes custom coding.
Off hand, to be able to decide which passwords get propagated to which targets, i might suggest some way for the end user to set the targets before hand because when a user changes their password, it's only the password that is being changed. You are going to need a field somewhere that says "yes this resource will propagate the password". You have 2 locations i can think of to do this, on the USR form as a UDF, or a field no the user's resource profile. Next you need a way to fill in these values. If it's on the USR form, you could put these on the user's self modification page to be able to check and uncheck these per resource. Or you can create a self requestable resource, or organization type requestable that has the list of targets, and the user can choose which ones they want to propagate the password to. You cannot have a dynamic list of targets though of the resource form. It has to be a set defined list. You could however create a child table with a list of all available objects and have them just add them in. Once the selection is done, you will either have these checked, or the provisioning side will update the values.
Now, when the password is changed, and you have your "Change User Password" task running, your adapter will have an input that maps to the UDF field to check if it should pass the new password to the Password Field on the form to trigger the Password Updated task, or return the existing password.
Or you create a custom page that lets you do whatever you want :)
-Kevin

Password changes in AD - Password Synchronization Connector Issue

Hey all,
Newbie question/problem... I have the 9.1.1.0 version of the AD Password Synchronization Connector installed on all domain controllers in my AD. My OIM system is IDM 9.1.0.1 running with JBoss.
When a password is changed on the target machine that OIM is connected to, the password synchronizes across to OIM fine.
When I change a password on another DC, the password does not synchronize. I check the logs and instead get an error saying... User not found. This shows in the AD eventlog as well saying... user not found in AD, please verify the configuration parameters.
The weird thing is... if I change my OIM host to point to the 2nd DC that threw that error and change the Password Synchronization Connector to point to itself as the host, the password change will now work and synchronize back to OIM. The password change on the original DC will now throw the same error, user not found.
I am totally stumped on this one... any help would be greatly appreciated.
Thanks in advance.
-B

Well finally figured it out... each password synchronization connector on each domain controller must:
for the host entry: use the IP of the current Domain controller box you are installing on
for the OIM host: enter the OIM server's hostname (not ip)
Just wanted to share my pains and struggles so others wouldn't have to.

AD password synchronization connector error

Hi,
I have installed the AD password synchronization connector 9.1.1. to Windows 2003 SP2 server successfully.
When I tried to reset the users password I can see from the 20120518OIMMain.log file the following errors:
Debug [5/18/2012 8:20:19 PM] The SOAP start element is
Debug [5/18/2012 8:20:19 PM] <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning">
Debug [5/18/2012 8:20:19 PM] The SOAP end element is
Debug [5/18/2012 8:20:19 PM] </SPMLv2Document>
Debug [5/18/2012 8:20:19 PM] The path is
Debug [5/18/2012 8:20:19 PM] /spmlws/HttpSoap11
Debug [5/18/2012 8:20:19 PM] End of sgsloidi::setParameters
Debug [5/18/2012 8:20:19 PM] <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://xmlns.oracle.com/OIM/provisioning"><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Internal Server Error (Caught exception while handling request: java.rmi.RemoteException: null; nested exception is:
* java.lang.NullPointerException)*</faultstring></env:Fault></env:Body></env:Envelope>
Debug [5/18/2012 8:20:19 PM] Inside sgsloidiOIMGeneralErrorHandler
Debug [5/18/2012 8:20:19 PM] Unable to update USR_NAME. There are error messages in the searchReponse. Please check log for details
Debug [5/18/2012 8:20:19 PM] Password updation failed in child process
Can anyone tell me what's wrong with it? please..
What's I should check?
Thank a lot.

1. Check your ports, make sure they are open.
2. For password sync you'll need to have SSL certificates configured so AD, OIM and the connector can talk securely. Make sure the proper keystore is used and certificate is present on all 3 (the connector includes the guide to install them)
With the above I got my connector working to this point. Hope that helps.
- JP

AD-OIM password synchronization connector error

Hi,
I have installed the AD password synchronization connector 9.1.1. to Windows 2003 SP2 server successfully. When I reset the users password I can see from the 20091217OIMMain.log file the following errors:
Debug [12/17/2009 2:08:31 PM] The SOAP start element is
Debug [12/17/2009 2:08:31 PM] <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning">
Debug [12/17/2009 2:08:31 PM] The SOAP end element is
Debug [12/17/2009 2:08:31 PM] </SPMLv2Document>
Debug [12/17/2009 2:08:31 PM] The path is
Debug [12/17/2009 2:08:31 PM] /spmlws/HttpSoap11
Debug [12/17/2009 2:08:31 PM] End of sgsloidi::setParameters
Debug [12/17/2009 2:08:31 PM] <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><faultcode xmlns="">env:Server</faultcode><faultstring
xmlns="">Internal Server Error</faultstring><faultactor xmlns=""></faultactor></env:Fault></env:Body></env:Envelope>
Debug [12/17/2009 2:08:31 PM] Inside sgsloidiOIMGeneralErrorHandler
Debug [12/17/2009 2:08:31 PM] Unable to update USR_NAME. There are error messages in the searchReponse. Please check log for details
Debug [12/17/2009 2:08:32 PM] Password updation failed in child process
Where is this searchResponce log file? I tried to see all the Windows log files, which has been updated after my password reset, but none of them has any errors which makes sense or the time would match. Also in 20091216043_PasswordChange.log everthing seems to go okay.
SPML web service is deployed and up and I can hit that URL from my machine. I don't get any printouts to the OIM log file.
Any ideas...? Thanks a bunch!
-J-

1. Check your ports, make sure they are open.
2. For password sync you'll need to have SSL certificates configured so AD, OIM and the connector can talk securely. Make sure the proper keystore is used and certificate is present on all 3 (the connector includes the guide to install them)
With the above I got my connector working to this point. Hope that helps.
- JP

Password Synchronization Connector Error in SSL secure mode (636)

Hello friends,
I tell them my case:
I have an Oracle Identity Manager environment BP15 9.1.0.2 and I installed an Active Directory Password Synchronization plug. The connector works properly in unsafe mode (389), then you have configured the SSL connector in safe mode (636) the log shows the following:
Inside *********** **************** sgslldpcopenLDAPConnection
Debug [10/28/2011 2:21:00 PM] Inside sgsladac c-tor
Debug [10/28/2011 2:21:00 PM] AD Host
Debug [10/28/2011 2:21:00 PM] 192.168.1.10
Debug [10/28/2011 2:21:00 PM]
Debug [10/28/2011 2:21:00 PM] AD Port
Debug [10/28/2011 2:21:00 PM] 636
Debug [10/28/2011 2:21:00 PM]
Debug [10/28/2011 2:21:00 PM] AD Base DN
Debug [10/28/2011 2:21:00 PM] DC = domain1, DC = com
Debug [10/28/2011 2:21:00 PM]
Debug [10/28/2011 2:21:00 PM]
Debugging the code
Debug [10/28/2011 2:21:00 PM] Inside ConnectToADSI
Debug [10/28/2011 2:21:00 PM]
ldap_connect failed with
Debug [10/28/2011 2:21:00 PM] Server Down
Debug [10/28/2011 2:21:00 PM]
Debug [10/28/2011 2:21:00 PM]
Connection to AD failed
Debug [10/28/2011 2:21:00 PM]
Out of openLDAPConnection ********** *****************
Debug [10/28/2011 2:21:00 PM] Inside sgsladac destroyer
Debug [10/28/2011 2:21:01 PM] Datastore --- Connect to AD
Debug [10/28/2011 2:21:01 PM]
Inside *********** **************** sgslldpcopenLDAPConnection
Any suggestions to solve this problem.
thank you very much

1. Check your ports, make sure they are open.
2. For password sync you'll need to have SSL certificates configured so AD, OIM and the connector can talk securely. Make sure the proper keystore is used and certificate is present on all 3 (the connector includes the guide to install them)
With the above I got my connector working to this point. Hope that helps.
- JP

Notification about password expiry on VPN Client

Hello everyone.
Our VPN users are connected to VPN with VPN Client. We're using VPN3000 to terminate VPN and ACS 5.1 to authenticate users from its internal identity store. VPN3000 gets info from ACS via RADIUS.
Now I want users to be notified about password expiration at their VPN client and be able to change their password.
I've configured:
- "RADIUS with expiry" at VPN3000
- "Disable user account after X days if password was not changed" and "Display reminder after Y days" at ACS
Now user is blocked when his password is expired after X days and he can't connect. But the reminder is not displayed after Y days and users have not chance to change his own password.
If I check "Change password on next login" user can change his password in VPN Client.
Should this feature (password expiry notification) work with ACS5.1 internal identity store and RADIUS?
I found in ACS5.1 release notes the following:
- Internal identity store enhancements include support for Password expiry
but:
- Expiry of any user (admin or internal) after certain number of days is not supported.
I'm confused with these two phrases.
And one more question. What RADIUS attributes say about password expiration and password notification to check them with radlogin?
Thanks in advance for any help.
Pavel

For what it's worth, I've followed that procedure to successfully reset the administrator password on a VPN 3000 concentrator without any loss of the active configuration.

Password Synchronization Connector in HA

Hello friends,
As I can configure the Password Synchronization plug idm Oracle Identity Manager on Oracle WebLogic Server deployed in Cluster (2 nodes)
Thanks.

Yes, you can configure it for 2 nodes in clustered environment. Refer http://docs.oracle.com/cd/E11223_01/doc.904/e10450.pdf 2.3 4. You need to install connector on one node and configure it on both, if it is 11g.
regards,
GP

Password synchronization between two domains

Hey everybody,
we have currently the situation, where we comes to password synchronization between Domain A and Domain B. Trust relationships are not possible caused we need separated authentications between productive network and user tools.
So we would sync from Domain A (windows 2008 R2) --> Domain B (windows 2008 R2)
Domain B would also replicate per Okta to Office365 Cloud.
Now my question, could anyone point me in the right direction, what tools are usefully on the market to accomplish these issues.
Sorry for my limited english.
Best and thanks

You can try using FIM with PCNS to sync passwords from Domain A to Domain B: https://technet.microsoft.com/en-us/library/jj590203(v=ws.10).aspx
As for Office 365, you can simply implement an ADFS platform and federate it so that your users will be using their AD passwords. It is also possible to sync passwords with DirSync.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Password synchronization problem

Hi All,
We have configured password synchronization in our SUN IDM Environment.Now we are facing problem with expired Passwords.
Password synchronization is not working with expired passwords.Normal users are able change their password and password change is reflecting on all the configured resources.
Please suggest me on this.
Thanks in Advance
Madhu

Hi Joshua,
Does this mean that I need to install the core and sub component but no need to install the DS and AD connectors. No!!! Core must only be installed on one machine! Here is a short summary of the steps during an installation having sun ONE LDAPs in multi-master replication (taking ldap2 as the machine, whrere core is installed):
1. Install core on ldap2
2. start console and configure your directory sources. For the sun directory source enter ldap2 as the preferred and ldap1 as the secondary ldap. Configure the rest: attribute-mapping, modification flow, AD-source, SULs, etc. save the configuration.
3. on ldap2 run idsync prepds untill you get the SUCCESS message in the following way (be sure to specify the secondary ldap with -j and -r options):
idsync prepds -h <ldap2> -p <ldap2port> -j <ldap1> -r <ldap1port> -D "cn=directory manager" -w <passwort> -s <configuration_registry_suffix>4. Run the install binaries again on ldap2. Install DS Connector on ldap2, install DS-Subcomponent (preferred) on ldap2. Install AD-Connector.
5. Copy over install binaries to ldap1. Run the install binaries on ldap1. Give ldap2 as configuration directory URL When you are asked, what components to install, select subcomponent. Select the suffix. When you are asked, what type of ldap, select secondary.
6. Copy over install binaries to any ldap slave in your replication topology and install the subcomponent there, choosing "other" as the ldap type.
Good luck again...
Jakob.

Every sync gets "You are about to synchronize your calendar for the first time" - Help !!!

I am on a MBP with the Tour and was able to successfully sync iCal and Address Book with BB. But everytime I try to sync, I get the " You are about to synchronize our Calendar data for the first time." with the options to "Replace Device Data", "Merge Data" or Cancel. Has anyone seen this and know how to fix? Replacing data makes it impossible to update Mac with changes on BB.
Please help!

Create a backup of your iCal and your BlackBerry.
Then create a test Calendar event on the BlackBerry, in iCal then test another synchronization once again.
The first time sync prompt usually occurs when it does not detect entries in either the BlackBerry or iCal Calendar.
-FB
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Kudos! for those who have helped you.
Click "Accept as a Solution" for posts that have solved your issue(s)!

About password synchronization in OIM11g

Similar Messages

Maybe you are looking for