Cons of using LDAP Sync in OIM

Similar Messages

• Ldap sync in OIM 11g R2

  Hi all,
  can any one help me in achieving Ldap sync in OIM 11g R2.
  Regards
  sri

  Thanks for your reply Nishith
  I need some suggestion from you.I have installed OID 11.1.1.6.0 and OIAM 11G R2(not configured ).
  while performing the OIM configuration can I use Enable Ldap sync or I need to finish the OIM configuration first and then do the ldap sync.
  Regards
  sri

• Error in Ldap sync with OIM 11gr2 and OID

  Hi,
  I am trying to sync OIM 11g r2 with OID using Ldap sync option. While creating a user or role I am facing this error
  IAM-2050243 : Orchestration process with id 930, failed with error message IAM-3010201 : LDAP create event failed : Error: NO_SUCH_OBJECT null.
  Help required,
  Thanks

  Any suggestions...

• Enabling LDAP Sync after OIM configuration in R2

  Friends,
  Did anyone tried enabling LDAP Sync after OIM configuration in R2?
  I am trying to do the steps given in the below url.
  http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#IDMIG4357
  But I am not finding the below.
  /db/LDAPUser
  /db/LDAPRole
  /db/LDAPRoleHierarchy
  /db/LDAPRoleMembership
  /db/RA_LDAPROLE.xml
  /db/RA_LDAPROLEHIERARCHY.xml
  /db/RA_LDAPROLEMEMBERSHIP.xml
  /db/RA_LDAPUSER.xml
  /db/RA_MLS_LDAPROLE.xml
  /db/RA_MLS_LDAPUSER.xml
  Few of them exist in /metadata/iam-features-ldap-sync but not all. I am not finding LDAPContrainerRules.xml any where at all.
  Am I doing something wrong or this documentation is wrong.
  Please suggest.

  From another post, try following
  I have not tiried it yet, but looks ok. Post your results/experiences, shall also try it out.
  Find detail steps at below link
  http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ
  http://docs.oracle.com/cd/E14571_01/install.1111/e12002/oidonly014.htm

• How to authenticate OIM from AD using LDAP sync

  Hi Team,
  We do not want to use password synchronization connector for AD password sync to OIM
  After reading few article' I found two probable ways for it:
  1. Authenticate OIM via AD using libOVD with OIM and LDAP sync enable
  2. Authenticate OIM via AD using libOVD, OID and LDAP sync enable.
  Please suggest whether theses approcahes are practicaly possible or not.
  If yes then please shae related architecture docs.
  Thanks,
  Gaurav

  Here is the one of the doc:
  Configuring LDAP Authentication When LDAP Synchronization is Enabled

• Is it possible to have multiple LDAP Sync from OIM 11g?

  I have a requirement to setup LDAP sync to a legacy iPlanet 5.2 LDAP server and that looks pretty straight forward. Now I'm planning to integration OAM with OIM. Our OAM is configured against OVD/AD (multiple domains), so that needs a LDAP sync to be cofigured against OVD/AD. I would like to know if multiple LDAP sync is possible and is a supported config? Experts please help.
  Thanks,
  Sunil.

  Thanks for the reply.
  The below link lists the LDAP's supported:
  http://docs.oracle.com/cd/E21764_01/install.1111/e12002/oidonly.htm#autoId23
  My question specifically is, can I configure multiple LDAP sync's? I already have LDAP sync configured for iPlanet/ODSEE and now I wanted to set LDAP sync to AD to support OIM-OAM integration. Any thoughts?

• OIM and ldap sync

  I am using OIM 11gR2 and OID 11.1.1.6. Users and groups will be in OID, and OIM is
  required to do the provisioning of users. Plan is to use ldap sync between oid and oim.
  With ldap sync, all users will be available in OIM. And then in OIM can one do the
  provisioning of users. Is this approach ok? Or should we have OID connector? Or both?

  You can use LDAP Sync between OIM and OID. You dont need OID connector in this case.
  More here...
  Why would you use the LDAP Sync instead of the OID Connector?
  http://fusionsecurity.blogspot.com/2012/01/oim-11g-ldap-synchronization.html

• How to configure security groups creation in OID through LDAP sync

  Hello,
  I am on OIM 11.1.2.1.0.  I created a new role and assigned the role to a user.  The user was added to the corresponding group in OID.
  This was the result I observed:
  Role created in OIM: PIPELINE-18010-DEC~LEAVIERWER
  There is a corresponding group created in OID under cn=Groups.  The user was successfully added to the group.
  However, I would like the new group to be created under cn=Groups,cn=PIPELINE.
  How can I achieve this?  Is there any documentation on how to use ldap sync in OIM?
  Thanks
  Khanh

  When I set the container rules for user with the expression using Organization, it did not work.
  If I copied the example from the documentation, it worked (for <expression>Country=US, Locality Name=AMER</expression>).
  I tried to change the Organization to be 1 word only, but it did not work.
  Is it limited to certain fields in the USR profile (meaning it only worked for certain fields but not all of them)?
  Default works for sure.
  Could someone please let me know?
  Thanks
  Khanh

• Ldap Sync: User is not able to create in Active Directory through OIM

  Hi ,
  I have enabled the ldap sync between OIM and Active Directory.
  Option 1: with password
  While creating the new user in OIM , I am getting the below error .
  80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Could not modify entry.[[
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
  remaining name 'cn=ADTESTLDAp10F ADTESTLDAp10LL,cn=Users,dc=cgtest,dc=adtest,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
    at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.modify(ConnectionHandle.java:301)
    at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.modify(BackendJNDI.java:781)
  [2013-08-04T17:06:58.840-07:00] [oim_server1] [ERROR] [OVD-60600] [oracle.ods.virtualization.engine.util.ADUtilities] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Cannot set password : LDAP Error 53 : [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0[[
  Looks like password is not able to set properly. But I am able to create the same user in AD using the same password.
  Option 1: without password
  Another testing, I have also tried to create user without password.  There is no error coming to log file. and I am able to see the below message in log file
  oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPPreProcessHandler] [APP: oim#11.1.2.0.0] [SRC_METHOD: createUser] User created in LDAP with GUID 9dc8f6f4b8564216a5d75d86f7cad0a2
  But user is not created in AD . this is another issue.
  Thanks,
  Amit

  Thanks for your reply.
  I have seen sample xml and my target looks the same
  <wlserver dir="${weblogic.domain.dir}"
                           port="${weblogic.domain.admin.server.port}"
                           servername="${weblogic.domain.admin.server.name}"
                           username="${weblogic.domain.admin.user}"
                           domainname="${weblogic.domain.name}"
                           password="${weblogic.domain.admin.password}"
                           configFile="config.xml"
                           generateConfig="true"
                           action="start"
                           beahome="${env.BEA_HOME}"/>
  my requirement is to use ant task.. otherwise I am able to create through configuration wizard
  Thanks

• OIM LDAP sync default attributes

  Hi,
  i am using LDAP sync to provision user/roles to LDAP (OID).
  I did the experience, that organization cannot be sync'd to ldap using ldap sync.
  Are there a list of all attributes, which will sync between OIM and LDAP (OID)?
  Thanks in advance!

  This bit of XML just tells reconciliation to copy the "o" attribute in LDAP to a user database field usr_ldap_organization. It does not reconcile organizations as such. I hope the below is an accurate summary of handling of LDAP organizations by LDAP sync which will help.
  1) LDAP Synch does not reconcile organization objects into OIM
  2) LDAP Synch does provision organization objects to LDAP (although as pointed out perhaps you can customize something outside LDAP sync using an event handler)
  3) Users reconciled from LDAP to OIM ar eby default placed in one OIM organization based on the the LDAP Sync scheduled job settings, irrespective of their organization in LDAP (although their LDAP organization can be reconciled to an OIM user attribute, perhaps allowing you to do some more work in an event handler)?
  4) Users provisioned from OIM to LDAP use LDAP Container mapping to choose the organisation they are written to in LDAP. This is by default a simple set of attribute based rules, however custom code can be written in a plugin. Not that I found a bug that unfortunately the information that holds an OIM users OIM organization (ACT_KEY) is not made available to this plugin on create.
  As to your further question, you can add other mappings as you require in the MDS files (LDAPUser.xml etc.) to map other attributes, either using supplied utilities to simply add UDFs (as mentioned in a previous post) or for less simple changes by modifying the XML by hand.

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi

• OIM 11g LDAP sync from different LDAP containers

  Hi,
  I have been setting up OIM 11g R2 (11.1.2) to use LDAP Sync to OID.
  As of now the sync works (both ways) for this container:
  cn=users,cn=oracleAccounts,dc=mycompany,dc=com (configured while doing the OIM config)
  Would it be possible to sync users in other containers as well? For example:
  cn=users,cn=otherAccounts,dc=mycompany,dc=com
  cn=users,cn=moreAccounts,dc=Otherstuff,dc=com
  By editing the file LDAPContainerRules.xml I can setup where the users are created when I create them through IDM.
  But that will not make the sync work for those containers.
  Any ideas where I should start to accomplish the above?
  Thanks & Regards,
  Henrik

  Okay, I think I have found an answer to how to sync users from different OU:s in my OID to different OIM organizations.
  Hopefully this will help others.
  We can use a PostProcess Event handler like this:
  1. Implement the method --> public BulkEventResult execute()
  This is used during recon actions.
  2. Get the user hashmap with attributes and set the "act_key" value with the OIM organizations ID.
  You also needs to build the logic to fetch the users "LDAP DN", which is also fetched from the map.
  From that attribute we can decide which Organization to put the user in.
  This is the best solution we have found yet..
  Docs & tips:
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#CCHFBGAA
  http://fusionsecurity.blogspot.se/2011/09/oim-11g-event-handler-example.html (thank you Daniel Gralewski)
  Regards,
  Henrik

• OIM-OAM integration and LDAP Sync

  Hello All, I have deployed OIM 11g R2 and OAM/OVD 11.1.1.5. Now I need to enable LDAP sync for OIM-OAM integration and I'm not allowed to extend Oracle schema in AD. So I decided to use OUD for FMW schema and I have completed all those steps and OUD is up and running. Since my enterprise directory is AD and OUD is my FMW directory, I need to think of a split profile setting in OVD. I'm following this link http://fusionapplications-ateam.blogspot.com/2012/04/split-profiles-with-ad-and-oid-for.html for this deployment. I have OVD adapters configured for AD, OUD, Join view and changelog. The link does not clearly explain the steps in OIM for LDAP Sync.
  When I configure LDAP Sync in OIM, should I point the sync to the OUD users container?
  When and how this cn=shadowentries container will be used? I understand that the password (obattributes) are used for password management by OAM, but wondering where will that get stored in OUD?
  Please let me know your thoughts.
  Thanks.

  Hi,
  when I use url:
  http://idm1:14000/admin/faces/pages/Admin.jspx
  I get Access Manager login page, I can click links: register new user, reset password and I get correct OIM pages. But when I type xelsysadm and password I get error on the next page:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  I can't logon to EM, OAMconsole, Weblogic etc. when the OAM is running. In OIM log I got errors from oam-agent: "User is not authorized to access resource, MinorCode: DENY, MajorCode: DENY".
  I have got user xelsysadm in OIM and in LDAP, when the OAM is not running I can login to OIM, create users in OIM (they appear in OID) etc. The user xelsysadm is added to group: OAMAdministrators. Also when I try to logon to OAM console (http://idm1:7001/oamconsole) using orcladmin name I get error: Access to administration console is restricted. But when I use weblogic username (the user is in OAMAdministrators group in OID) i can get OAMconsole.
  How can I change logon type in OIM?
  best
  mp
  Edited by: J23 on 2011-01-10 00:47

• Role creation in OIM 11.1.1.5.0 fails with LDAP Sync Enabled

  I am in the process of configuring LDAP sync for OIM 11.1.1.5.0 with ODSEE.
  At this time, when I add a user in OIM, I can see that the user gets created in LDAP under the LDAP dn that I supplied when configuring OIM (Configuration process screen name = "LDAP Server Continued", field name = "LDAP User Container")
  However when I try to add a role in OIM, the call fails. OIM server logs have the following exception message:
  <Jul 14, 2011 1:21:52 PM EDT> <Warning> <oracle.iam.callbacks.common> <IAM-2030146> <[CALLBACKMSG] Are applicable policies present for this async eventhandler ? : false>
  <Jul 14, 2011 1:21:53 PM EDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042002> <An error occurred while creating the entity in LDAP, and the corresponding error is - {0}
  javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
  null [Root exception is oracle.ods.virtualization.service.VirtualizationException]
  at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
  at oracle.ods.virtualization.jndi.OVDContext.createSubcontext(OVDContext.java:512)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.createSubcontext(LDAPUtil.java:1045)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.create(LDAPDataProvider.java:487)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:291)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:239)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.create(RoleCreateLDAPHandler.java:128)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.execute(RoleCreateLDAPHandler.java:46)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
  at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:664)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:435)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:381)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:334)
  at oracle.iam.identity.rolemgmt.impl.RoleManagerImpl.create(RoleManagerImpl.java:188)
  at oracle.iam.identity.rolemgmt.api.RoleManagerEJB.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  Any idea whats going on?
  When configuring OIM, I provided a value for the "LDAP Role Container" as "ou=Groups,dc=mycompany,dc=com". The docs shown an example of "cn=groups, dc=mycountry, dc=com" (see http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/oidonly.htm#CDDDIAIC, step 18). Could this difference in container type be causing this problem?
  Any idea where OIM stores this container information if I wanted to test ldap sync with the different roles container?
  Thanks
  Aspi Engineer
  Putnam Investments

  Aspi,
  OIM keeps its ldap config under "$IDM_HOME/server/ldap_config_util" as "ldapconfig.props"
  Thanks,
  Sandeep Gupta

• LDAP sync post installation of OIM

  Hi,
  I am trying to configure LDAP sync in OIM with OID.
  I have followed the steps given in the following link,
  http://docs.oracle.com/cd/E25178_01/doc.1111/e14308/ldapsync.htm
  But when I try to create user in OIM, I am getting the following error.
  [2013-04-09T10:06:36.113+05:30] [oim_server1] [ERROR] [] [XELLERATE.SERVER] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: a01b208c9b8519b4:-7153fc62:13dceb3e3b3:-8000-000000000000aac1,0] [APP: oim#11.1.1.3.0] Class/Method: ConnectionService/getConnection encounter some problems: Failed to intialize and start UCP Connection pool [[
  com.oracle.oim.gcp.exceptions.ConnectionPoolInitException: Failed to intialize and start UCP Connection pool
  The OIM version is 11.1.1.5
  Any pointers will be greatly appreciated.
  Thanks,
  Sandeep Tamang.

  verify ldap url or binding user details