AD OID SYNC
Hi All,
one of my customer has set up AD-OID sych. (both ways i.e. export & import ),now he wanted to sync. only modifications i.e. add & delete should not be synch. either way
how to achieve this ?
Regards
Easwaran
Changed the AD account to be a member of group Administrators, deleted all calendar accounts, and ran a fresh bootstrap.
Now OID->AD sync is working fine, including new user additions.
Similar Messages
-
AD OID sync not working after relocating servers
Experts,
OAS 10g (9.0.4.3.0)
The AD/OID synch which runs once a day did not run after the servers were relocated. I had run the chgip on both infra and midtier and the applications are running without any problems.
How can I troubleshoot this? Where are the logs generated for the AD/OID sync.
Regards
vLogs for OID-AD sync are located under $ORACLE_HOME/ldap/odi/log.
it will also be important that you check odisrv log file for any errors (this is located underf $ORACLE_HOME/ldap/log -
OIM OID sync (IT Resource - Directory Server)
Hi Friends ,
I am trying to get information about OIM OID sync (IT Resource - Directory Server) but i am not find any link.
I want to find out what are limitation of this sync and how we can control sync attributes.
Thanks in advance.If you talking about OIM 11g LDAP Identity Store (the thing that synchronises OIM and OID automagically) then have a look at:
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14316/dployconfig.htm#insertedID3
There's also stuff about it in the OIM 11g Developers Guide, the OIM 11g System Administrators Guide (LDAP scheduled tasks). The installation guide and entreprise deployment guide may also be useful.
These should all be accessible from
http://download.oracle.com/docs/cd/E14571_01/im.htm
Have fun! -
hi all,
recently i've been given the assignment of sync one Active Directory to one OID.
Said so seams easy .....
...... so I installed a fresh copy of Win2000 adv server with Active Directory PLUS another Win2000 adv server with Oracle AS infra.
Then a got a copy of this document:
http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm?_template=/ocom/technology/content/print
unfortunately the "dipassistant" command at the end of the document comes out with an error:
dipassistant ERROR: DIP_GEN_UNKNOWN_FAILURE
I also looked on metalink for some help, and I found the note n. 267153.1
At the begining of the document it is explained how to verify if it possible to read the "container": cn=users,dc=domain,dc=com
Running an ldapsearch on the Active Directory is usefull for verifying any access issues.....
The command does not come out with errors, but it also does not come out with any output (I put few users on the Active Dir).
Thank you in advance for the timeThanks Andres,
I tried to query the Active directory in the way you said ....but nothing !
ldapsearch
-p 389
-h adhost
-D "cn=Administrator,cn=users,dc=domain,dc=com" \
-w "mypassword"
-b "cn=users.oracle.com"
-s base "objectclass=*"
and in these formats too:
(-b "dc=users.paan.com"
-b "cn=users,dc=paan,dc=com)
I'm really lost, what else could be wrong ?
I'm wondering if there is anything missing from the document i'm following for the Sync.
http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm?_template=/ocom/technology/content/print
Conceptually the syncronization seams to be a straighforward process, but in reality I find it quite complicated...........maybe i'm missing some key information.....
Any ideas to suggest ?
thank -
Missing /metadata/iam-features-ldap-sync in v11.1.1.6 OIM/OID sync
Hi All
Have picked up support of a site with Oracle Identity Management Suite already installed and need to create custom Schema attributes for users.
Have modified the create user form no problem in OIM, and also created a custom class with the required attributes in OID.
The bit I am stuck on is associating the custom class / attributes in OIM with the relevant fields in OID.
Am looking at the
Oracle® Fusion Middleware
Integration Guide for Oracle Identity Management Suite
11g Release 2 (11.1.2)
E27123-03
documentation which seems to make sense and have got as far as page 3-5 Step 2 where it says to
Export the /metadata/iam-features-ldap-sync/LDAPUser.xml metadata file from the repository
Issue I've got is that while i can identify the /metadata folder on the server, the only folder it contains are db and ldapReconJobs
Anyone got any idea where things might have gone wrong / how to rectify?
Am hoping that it may be something obvious to others as am new to this product-set.
thanks in advance
Davethanks idamgod
Your answer makes sense as to why the folder isnt there, but i have a bit of a problem in that there are no xServer components installed on the server so running the GUI orientated confg.sh isn't an easy option.
(apparently not an option to install)
is there any other (non gui orientated) way of achieving the same result? -
I need help for install and configure password sync from AD to OID
Hi guys!
I need to sync passwords from AD to OID, first all, ¿What software do I need? I read some docs and don't find the good config.
I'm trying with:
-Database 11g
-Weblogic 11g
-SOA 11g
-IDM 11g
-IAM 11g
First I install the Database and load the schemas with RCU, next install Weblogic without domian, next install SOA, next install IDM (OID and DIP) in a new Weblogic Domain, next install IAM, next configure IAM in the domain created before, next configure SSL, check the config by using ldapbind, next configure DIP.
It's that ok?
¿What I am doing wrong?
Thank you all.If all you need is AD & OID then OIM is not required. DIP alone can handle this
Password sync should work using DIP. if this is not working then check synchronization mapping and verify that password attribute is also part of this AD-OID sync. Enable debug in synchronization profile or raise an Service Request with Oracle support.
Check
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_actdir.htm#CHDIGDEH
and
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_config_integration.htm#BABBFAAJ
and
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDBIIJC
Atul Kumar -
The Oracle Files is not Synchronizing with the OID, even after setting OID Sync.agent to 3m instead of 24h.
Whenever i logon to files it gives me "You don't have an Oracle files account"
Any idea why this is happening?You have recently created a user in OID and are immediately trying to login to Oracle Files using that userid. The error message you get is,
"Error. You do not have an account on Oracle Files"
To get the error;
1) http://host.domain:7779/files/app/AdminLogin
2) Click, "Login using Single Sign-on"
3) Enter the new userid & password to get "Error. You do not have an account on Oracle Files."
The FilesOidUserSynchronizationAgentConfiguration agent is set to 24hours by default, so a new user must wait 24 hours before it will import the user into Oracle Files. You need to create a new Synchronization agent
with a shorter time period:
1) Start EMD, also known as Oracle Enterprise Manager, from the command-line using
$ORACLE_HOME/bin/emctl start
2) Connect to EMD at http://hostname:1810 and log in as ias_admin using the same password you entered for the Oracle Collaboration Suite instance when you installed Oracle Collaboration Suite.
3) Click Files. The Files Domain page appears.
4) Click Server Configuration.
5) Click and Edit the FilesOidUserSynchronizationAgentConfiguration,
changing the value of IFS.SERVER.TIMER.ActivationPeriod from 24h to 3m (for a check every 3 minutes).
6) Save FilesOidUserSynchronizationAgentConfiguration.
7) Stop FilesOidUserSynchronizationAgent by clicking on the <server> Node. Now you should now see a list of servers. Click the radio button for
FilesOidUserSynchronizationAgent and click Stop.
8) To load the new Server, then click on the Load Server push button. Enter a new name in the Server Name (ie: OIDSYNC). In Server name field, select IfsDefaultServer from the drop down list. For the Server Configuration Field, select FilesOidUserSynchronizationAgentConfiguration. Then, click OK. You should see a new server named, OIDSYNC.
9) Start the newly loaded FilesOidUserSynchronizationAgent. Do not start
the same agent that you just stopped. Click on the radio button for OIDSYNC, then click on start. Keep the FilesOidSynchronizationAgent stopped.
After a few minutes (when the new FilesOidUserSynchronizationAgent synchronizes
the Oracle Files users with those newly created in OiD) every new user receives an e-mail containing a password.
Once the FilesOidUserSynchronizationAgent has created the users, you can change the ActivationPeriod back to 24h or whatever is your preference. -
How to create a new attribute in OID and auto-populate it during sync from AD
Hi,
I'm new to OID and we are planning to set up AD to OID sync and we need to create an extra attribute in OID that we do not have currently in AD. We need to concat 4 attributes with "." in between and populate this new attribute.
If anyone has done something like this, can you please give me the steps involved and/or any examples?
Thank youI think you need to create a custom plugin to create the value of new attribute and populate it, may be post plugin in OID.
Java Server Plug-in Developer's Reference -
Oracle ERP 11.5.4 vs. OID
Can Oracle ERP 11.5.4 config OID? If yes, can OID sync with Microsoft AD?
Thanks
EricHi,
If the values for R12 are higher then you need to adjust the kernel parameters values and it should work for both 11i and R12.
Thanks,
Hussein -
OIM, OID and ADF - Confused!!!
Hi All,
I am starting to read about all this Identity Management stuff and I need some orientation about what to do and where to start since I have been loosing some time trying to understand the whole picture. I know Oracle Internet Directory is part of OIM but I am confused.
We are building a Webcenter Portal application and its security is intended to be managed through an OID (Oracle Internet Directory) which is already settled up and running. Now, the real problem is how to manage users/groups (entries in general) using our Webcenter Portal Application.
We are thinking at first some basics operation like if you are the admin you can create some user, assign roles and groups etc. All this without going to the OID Console. All this within our portal.
I know there are more than one approach I could take. Right now I am thinking to create our customs java classes in order to connect to the LDAP using the provided API. So
- Should I use a simple JNDI interfaces to do this?
- In JDeveloper if I write "OIDUser" in a java class I get a suggestion about the package "oracle.security.idm"... So shall I use this instead simple JNDI? If this is the case, is there any tutorial I can follow in order to achieve this?
- I was taking as example this http://code.google.com/p/ldapchai/ which is an API for LDAP using java jndi. However, this is not an oracle product and more than sure this kind of stuff have been already made by oracle. But exactly something like that I need. I am thinking to implement some interfaces with the following methods
create user
update user
create group
update group
assignUserToGroup
etc.
Hope you guys can help me out here.
Regards
P.S I give points to the useful questions and correct ones as well.
I just came out with this library ldapjclnt11.jar which is in OID_HOME. Shall I go for this since I am not using OIM. Just OID?
Regards
Edited by: Alejandro T. Lanz on Feb 13, 2013 8:15 AMHey Alejandro,
Management X Manager both are OIM concepts:
Let's start from the very beginning: OIM is one product that you can control 'user and group resources' as Active Directory users , Database users and OID users and groups. So, OID is not part of OIM(Oracle Identity Manager_). Maybe you are talking about the first concept that comes with Oracle application server , OID, DAS and SSO. All these products were called OIM(Oracle Identity Management_).
OIM is one WebApp deployed into AppServer with some client pieces(eg: Design Console, Remote Manager) , if needed.
OID is one LDAP.
Basically the standard control that you can do here is:
Have these tasks:
1)create user,update user,create group,update group,assignUserToGroup controled by OIM.
2) THen OIM has an 'integration' with OID, using LDAPSYNC or having OID Connector: http://thiagoleoncio.blogspot.com/2013/01/oid-sync-vs-oim-connector-into-oim-11g.html
3) WebCenter Portal is 'connected with LDAP(OID)'.
Regarding this:
We are thinking at first some basics operation like if you are the admin you can create some user, assign roles and groups etc. All this without going to the OID Console. All this within our portal.
I know there are more than one approach I could take. Right now I am thinking to create our customs java classes in order to connect to the LDAP using the provided API.
You can:
1) Do a class that have all ldapqueries to do whatever you want.
2) Do this integration above, then it will be much more easy to do this tasks and no develop part needed from user creation point of view.
I hope this helps you a bit,
Thiago Leoncio. -
Sincronization from AD to OID doen't work
Hi all,
I configured my Oracle 10g (9.0.4.1.0) Application Server to sincronization the AD with the OID as specified in http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm
I tried a lot of times but it always says "NOT EXECUTED YET"... i don't see any error messages and don't know where the log resides. I've already restarded the machine, refreshed, reinstalled the oracle...
PS: My oracle is running on Win2k Adv Srv and my active directory is running on another machine with Win2k Adv Srv
Thanks in advance,
SérgioIf all you need is AD & OID then OIM is not required. DIP alone can handle this
Password sync should work using DIP. if this is not working then check synchronization mapping and verify that password attribute is also part of this AD-OID sync. Enable debug in synchronization profile or raise an Service Request with Oracle support.
Check
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_actdir.htm#CHDIGDEH
and
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_config_integration.htm#BABBFAAJ
and
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDBIIJC
Atul Kumar -
AD OID Synchronization searchfilter issue (help needed)
Hi,
I am trying to Synchronize AD and OID. I am running into an issues where users are being populated both in groups and users containers in OID even though I specified my
searchfilter to put users under cn=users and groups under cn=groups. Following are the serch filters I am using and looks like it's not working. I want my users to be in cn=Users and groups in cn=Groups, but some how
I always keep getting the users being populated in cn=groups and cn=users.
Group filter:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(!(objectclass=user)(!(objectclass=computer))))
User filter:
searchfilter=(|(objectclass=user)(objectclass=organizationalunit)(!(objectclass=group)(!(objectclass=computer))))Following are my Attribute Rules that I have both in group and user profiles:
AttributeRules
# attribute rule for mapping windows organizationalunit
ou: : :organizationalunit:ou: : organizationalunit
objectguid: :binary:organizationalunit:orclobjectguid: : organizationalunit:bin2b64(objectguid)
# attribute rule for mapping directory containers
cn: : :container: cn: :orclContainer
objectguid: :binary:container: orclobjectguid: :orclContainer:bin2b64(objectguid)
# attribute rule for mapping directordomains
dc: : :domain: dc: :domain
# USER ENTRY MAPPING RULES
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
# Map the SamAccountName to the nickname attr if required
# If this rule is enabled, userprincipalname rule needs to be disabled
#sAMAccountName: : :user:uid: :inetorgperson
# Assign the userprincipalname to Kerberaos principalname
userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
SAMAccountName: : :user:sn: : person
# attributes to map to cn - normally this is the given name
#name: : :person:displayname: :inetorgperson
cn: : :person:cn: :person
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
givenName: : :person:displayName: :orclUserV2
# mail needs to be assigned valid value for default settings ing DAS
userPrincipalName: : :user:mail: :inetorgperson
mobile: : :organizationalperson:mobile: :inetorgperson
ObjectGUID:1:binary:user:orclObjectGUID: :orclADUser:bin2b64(ObjectGUID)
ObjectSID: :binary:user:orclObjectSID: :orclADUser:bin2b64(ObjectSID)
# GROUP ENTRY MAPPING RULES
#name: : :organizationalunit:ou: : organizationalunit
#name: : :container: cn: :orclContainer
#name: : :domain: dc: :domain
cn: : :group:cn: :groupofuniquenames
# displayname needs to be assigned a valid value for default settings on DAS
SAMAccountName: : :group:displayName: :orclgroup
# Description needs tobe assigned a valid value for default settings on DAS
Description: : :group:Description: :orclgroup
member: : :group:uniquemember: :groupofUniqueNames
managedby: : :group:owner: :orclprivilegegroup
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup
ObjectGUID: :binary:group:orclObjectGUID: :orclADGroup:bin2b64(ObjectGUID)
ObjectSID: :binary:group:orclObjectSID: :orclADGroup:bin2b64(ObjectSID)Any help is appreciated. For example I see my userid being under cn=groups and cn=users both, even though I am user not a group.
ThanksHi WhiteSox!
I wounder if you ever solved this?
I guess that
Group filter:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(!(objectclass=user)(!(objectclass=computer))))
User filter:
searchfilter=(|(objectclass=user)(objectclass=organizationalunit)(!(objectclass=group)(!(objectclass=computer))))
in both searchfilters you do search for the organizationalunit with a logical OR. as both users and groups can have this attribute they migth end up there.
I have to confess that I have struggled lately with the searchfilters as I am now on a AD-OID sync project.
cu
Andreas -
Can Oracel Application Server 10g R2 (10.1.2.0.2) with forms/reports and sso be installed on 1 server. We have AD/OID sync. OS is Windows NT. IF so will 4G and dual cpu Dell server be enough.
Regards
vVisakh,
Yes it is absolutely possible and configuration you are specifying is gud enough.
I think you can go ahead.
Regards
Rohit -
Question about AD search filter
Hi,
I'm a newbie here. I've AD to OID sync and have the following search filter in the mapping parameters.
searchfilter=(|(objectclass=group)(objectclass=organizational unit)(|(&(objectclass=user)(!(objectclass=computer)))))
Can someone explain what this filter exactly does?
Sync is working for regular users but I want to get users who are members of some groups. How to I change the filter to get groups and members within groups?
Thanks in advance.It all depends how the code is written. Somewhere there is going to be a setting that says what your multivalue group objectlass is. The frist query will pull your users, and the second will get the userID for each user and query again for that user's groups. Since the groups are not actually on the user profile, the user's are on the group profile.
-Kevin
PS - Don't forget to give points where points are earned. -
Hi I am trying to enable WNA and have some questions as I went over the document http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm
1. Is SSO Server Oracle App. Server. How do I find out FQDN of SSO Server
2. When setting ORACLE_HOME is it going to point to Infrastructure or MidTier
3. In the doc. it syas "It is necessary to create a user account in the AD server with the same host name where your SSO server is running" Now is this account different than the one we use for AD-OID sync or the same account can be used.
4. In krb5.conf file kdc = dude.us.oracle.com:88 is the Kerberos server port the same for AD port number. How do i find out the port number
ThanksHi,
Thanks for the feedback. Can you please tell me what are following options in the ktpass command and are these required
to generate keytab file as I didn't see in the documentation and OBE, can I ignore them or are these required.
+desonly
-mapOp set
-crypto des-cbc-md5
ktpass -princ HTTP/[email protected] -pass <PASSWORD> +desonly -mapuser prdbx2 -mapOp set -out mysso.keytab -crypto des-cbc-md5
Also currently my krb5.conf looks like:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IIDEV.COM #IIDEV.COM is the default AD Realm
[realms]
IIDEV.COM = {
kdc = prdgem03.iidev.com:88 #FQDN of the AD server
[domain_realm]
.iidev.com = IIDEV.COM
iidev.com = IIDEV.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 38000
renew_lifetime = 38000
forwardable = true
krb4_convert = false
Just wanted to make sure if the above file is correct. Is there anything else I need to place in the file Your feedback is appreciated.
Thanks
Message was edited by:
WhiteSox
Maybe you are looking for
-
Custom Script using Classifications
Hi. I am wondering if it is possible and how I would go about using custom scripts to use classifications to display particular things. This is the goal: To classify events (back end) and then based on the classification of an event, on the detail pa
-
I DELETED ALL MY PICTURES ON ACCIDENT
Ok so it's 3:30 in the morning, and I am uploading pictures from my digital onto my powerbook and I decide to save space on my computer by deleting all my originals. Little did I know that if the original is deleted I cannot open the picture on iphot
-
How to find most cost-effective fwdg agent at the time of shipment creation
Dear Friends, I have a requirement of realizing the best cost effective transporter(forwarding agent) in the shipment document. Then how to do using the Transportation functionality of the ERP? There is a scenerio like I want to transport my goods fr
-
How to include attributes as parameters in a query?
Dear Gurus, I need to create a parameter/filter in a BEx query using the attributes of 0MATERIAL like 0BRAND and 0CATEGORY. How do i do it? Thanks a lot in advance for the time and help. Raj Message was edited by: Raj Singh
-
ITunes 7 shared music not compatible with previous versions
I installed iTunes 7 on my PC and have iTunes 6.0.5 on my Mac. From my Mac, my iTunes shared library on the PC is greyed out. When I select the shared library, I receive the following message: "The shared music library ... is not compatible with this