Direct Provisioning AD - User Update Question

Similar Messages

• AD Connector direct provisioning User Account Password Problem

  All,
  Created an AD connector and provisioned a user between OIM 11.1.1.3 and Active Directory. Provisoning status is "provisioned" and looks like everything appears to be working. However when i try to login to AD directly, I get a credential invalid error. Has any one come accross this problem before. I did not see this issue in a previous effort, however the only difference that i can think of is that in the current environment there is no SSL on AD i am directly working with port 389 and useSSL = no on ADITResource.
  Any help for debugging this is much appreciated.
  Thanks in advance,
  Prasad.

  If you are not using SSL, then no password is set for the user in AD. I do not know what limitations there are when trying to login, but I would check with your AD admins, and make sure the account looks valid. They might need to be a member of a certain domain group, or have a different userAccountControl value.
  -Kevin

• OIM to OID direct provisioning to a particular OU

  Hello - Can some one suggest if provisioning to a partciluar ou in OID directory is possible from OIM using configuration as oppose to coding?
  let say, my DIT looks like this:
  dc=abc,dc=com
  o=Org-A
  -     ou=unit1A
  -     ou=unit2A
  -     ou=unit10A
  o=Org-B
  -     ou=unit1B
  -     ou=unit2B
  -     ou=unit10B
  I can provision user account to OID fine OTTB i.e. using the default connector configuration and adding them to cn=users container.
  But now if I want to add user to a particular ou in OID then what is required (high level steps would be great).
  Just to clarify, I want to pick the ou during user creation e.g. if I want i should be able to pick ou=unit1A or ou=unit1B.
  Thank you.
  Edited by: user9231583 on 09-Mar-2010 21:08
  Just wanted to update the question, after testing few fields I can provision user account to either o=Org-A level or if I can create a new ou under the top node dc=abc,dc=com then I can provision the user but I am not sure what config changes are required to add user under the unit1a or unit2a? Any suggestions please.

  Thanks everyone who replied but I guess I have not explained it clearly, The question is how to provision under an ou=Unit1A that is under o=Org-A.
  Here is some information that I have configured that might help to point me to the right direction. I would appreciate any help. hopefully it make sense.
  The process form contain Container DN field. This field is defined as LookupField in the process form.
  The lookup table from which the Container DN gets the value is Lookup.OID.Organization
  I have populated my Lookup.OID.Organization with the Organization units that I have created in OID; from my above example it contains values like
  Code key Decode
  ou=Unit1A unit1A
  ou=Unit2A unit2A
  ou=Unit1B unit1B
  etc
  The values for ldapOrgDNPrefix and ldapOrgUnitObjectClass in Lookup.OID.configuration is set as follows:
  ldapOrgDNPrefix=ou
  ldapOrgUnitObjectClass=organizationalUnit
  When I try to provision user to these ou (unit1A or unit1B), i get "no such object" return error which makes sense since OIM is trying to add this user under ou=unit1A,dc=abc,dc=com which does not exist in OID. It should be ou=unit1A,o=org-A,dc=abc,dc=com but I am not sure how to tell that to OIM.
  Just to you know:
  I can provision either at the o=Org-A level by changing the values in Lookup.OID.configuration lookup table to ldapOrgDNPrefix=o and ldapOrgUnitObjectClass=organization
  OR
  If i create an organizational unit ou=Test under the top node i.e. dc=abc,dc=com and then change the values in Lookup.OID.configuration lookup table to ldapOrgDNPrefix=ou and ldapOrgUnitObjectClass=organizationalUnit then I can provision to ou=Test.dc=abc,dc=com
  but I am not able to provision under ou=unit1A if it is under o=Org-A.
  Thank you.

• OIM 11g DBAT connector - user update not working after target recon

  Hi,
  I have configured a resource (XSVR3) with the DBAT 9.1.0.5.0 connector to do provisioning and target recon to and from the same custom database table, following the example found on the connector guide. Now what happens is the following:
  - if I first provision the resource to the user everything works fine
  - if a resource is first assigned to a user as a result of a target recon, the connector then fails at propagating to the table any changes I make in the process form, returning the following error:
  <8-gen-2013 16.44.16 CET> <Error> <OIMCP.DATC> <BEA-000000> <Class/Method: DBFacade/updateParentRecord encounter some problems: Empty parent row cannot be updated. Please ensure to run reconciliation task to bring the systems in sync.>
  <8-gen-2013 16.44.16 CET> <Error> <OIMCP.DATC> <BEA-000000> <Class/Method: DBProvisioningTransportProvider/sendData encounter some problems: DB_UPDATE_EMPTY_RECORD_ERROR
  com.thortech.xl.gc.exception.DBException: DB_UPDATE_EMPTY_RECORD_ERROR
  at com.thortech.xl.gc.impl.common.DBFacade.updateParentRecord(Unknown Source)
  at com.thortech.xl.gc.impl.prov.DBProvisioningTransportProvider.sendData(Unknown Source)
  It looks like the connector is unable to find the record that needs to be updated. I've looked into the process form table of the resource on the DB (called UD_XSVR3), and I noticed that records resulting from target reconciliation have a null in the UD_XSVR3_ID column, while records resulting from a direct provisioning have the username in the same column. Updating manually the column in the first kind of records fixes the issue, but I need to know if/what have I missed in the connector configuration.
  thanks in advance
  Alex
  Edited by: Prorad on Jan 9, 2013 3:02 AM

  Hi, Prorad,
  We are having same issue. What's the resolution for the issue? Any hints will be great.
  Thanks,
  Vincent

• [OIM] Error in Direct Provisioning (with auto save form) - GTC DB App Table

  Hi,
  I am getting an error when setting up direct provision of a GTC DB App Conn using OIM access policy (and group membership) or through manual provisioning with prepopulate and auto save form.
  Manual provisioning with prepopulate ONLY (not with auto save form) WORKS!!!
  Some information about my OIM config:
  - Prepopulate adapters are set up on both forms (parent and child)
  - "Auto prepopulate" and "Auto save form" are set up at Process Definition
  - For direct provisioning, I have created an access policy with an associated group which has a membership rule
  What it is working:
  - Provisioning manually, using prepopulate adapters only, not auto save form. Both tables are updated properly
  - All *3 tasks are called and finished with status=Completed*: "System Validation", "Create User" and "Child Table UD_<connector child table name>_US row Inserted"
  Testing direct provisioning:
  - I have tested adding the resource manually with prepopulate and autosave form configured, and also through access policy/group membership. The error is the same on both tests
  - The resource is displayed as provisioned and it is created an entry in the parent table of the resource, but not on child table
  - I also observed that only: "System Validation" and "Create User" tasks were executed (status=Completed). But it is missing the task "Child Table UD_<connector child table name>_US row Inserted"
  - The error log info displays only an error regarding to UGP table (Groups info) but I am not sure if that is the cause of entry creation on child table.
  It seems the SQL stmt tries to get ugp_name (group name) using ugp_key but that has null value.
  "SELECT ugp_name FROM ugp WHERE ugp_key=java.sql.SQLSyntaxErrorException: ORA-00936: missing expression"
  Note: When testing manually (without auto save form), I got "SELECT ugp_name FROM ugp WHERE ugp_key=1" which it is the same SQL stmt but the value is provided.
  My guess:
  - It seems that error is aborting the whole execution process so "Child Table UD_<connector child table name>_US row Inserted" task does not run, even though previous tasks are finished with the status=Completed. Consequently, the entry is not created on child table.
  Please, any guess or help would be very helpful. In case nothing works, I guess I will have to create and customize a "Update child Form" task as an workaround which would be called after "Create User" task.
  Regards,
  Hugo
  My environment:
  - Windows 2003, WebLogic 10.3.0.0, OIM 9.1.0.2 BL4, Oracle 10g, Java 1.6, DB App Table Connector 9.1.0.2 (from October 2009)
  - Target Resource: Parent and Child Table (Oracle 10g - the same OIM DB)

  An update:
  I solved that error about "ORA-00936: missing expression" applying OIM 9.1.0.2 BP05. That was not impacting my issue regarding direct provisioning with auto save form and child form.
  So please if anyone can confirm:
  - Can I set up prepopulate adapters on child forms AND also use "auto save form" on GTC DB App Table connector?
  If not, any suggestion?
  Regards
  Hugo

• Provisioning a user in MSAD from OIM

  Hi all,
  I am trying to provision a user from OIM to MSAD through direct provisioning. After performing the steps for provisioning, i get the status of create user as rejected and the task is asssigned to xelsysadm for approval though it is direct povisioning.
  Please help me to know why the user is not gettin provisioned in MSAD

  hi Rajiv,
  thanks...
  i have run the AD Organisation lookup Recon and have given the following parameters
  Lookup Search Filter:     (|(objectclass=OrganizationalUnit)(objectclass=container))
  Search Base:     DC=<domain_name2>,DC=<domain_name1>,DC=com
  Recon Type:     Update
  IT Resource Name:     ADITResource
  AttrName For Decode Value In Lookup:     distinguishedName
  AttrName For Code Value In Lookup:     distinguishedName
  Lookup Code Name:     Lookup.ADReconciliation.Organization
  Configuration Lookup:     Lookup.AD.Configuration
  But still theres no value for Organisation Lookup in process form for provisioning the user. what could be the cause for the same?
  Also i was testing if the connector is installed properly by using the testing utility. i used the following command to run it : . runADtest.sh 2
  But i got the following error.
  Exception in thread "Main Thread" java.lang.NoClassDefFoundError: com/thortech/xl/integration/ActiveDirectory/test/ADTestClient
  Caused by: java.lang.ClassNotFoundException: com.thortech.xl.integration.ActiveDirectory.test.ADTestClient
  at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
  at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
  Could not find the main class: com.thortech.xl.integration.ActiveDirectory.test.ADTestClient. Program will exit.
  Please help me for this also.
  Edited by: 827805 on Feb 9, 2011 4:11 AM

• Help with user.update.accounts[Lighthouse].changes[roleInfos].new

  When I access user.update.accounts[Lighthouse].changes[roleInfos].new it returns a list of XMLObjects, which are the new list of roles to be provisioned in IDM. The following is an example:
  <GenericAttribute>
    <Object>
      <Attribute name='attribute'>
        <Object name='Production Server'>
          <Attribute name='directlyAssigned'>
            <Boolean>true</Boolean>
          </Attribute>
          <Attribute name='state' value='assigned'/>
          <Attribute name='type' value='BusinessRole'/>
        </Object>
      </Attribute>
    </Object>
  </GenericAttribute>I would like to execute a specific transition when a specific role is identified within work flow transition from this list. So I thought I could try the following:
  <contains>
    <ref>user.update.accounts[Lighthouse].changes[roleInfos].new</ref>
    <s>Production Server</s>
  </contains>This does not work, but in my workflow debug I see the following:
    Resolved reference user.update.accounts[Lighthouse].changes[roleInfos].new = [Corporate Domain Administrator
    assignedBy = [Information Security Specialist]
    assignmentType = conditional
    state = assigned
    type = ITRole
  , Employee Production
    assignedBy = [Information Security Specialist]
    assignmentType = required
    state = assigned
    type = ITRole
  , IT Organization
    assignedBy = [Information Security Specialist]
    assignmentType = required
    state = assigned
    type = ITRole
  , Information Security
    assignedBy = [Information Security Specialist]
    assignmentType = required
    state = assigned
    type = ITRole
  , Information Security Specialist
    directlyAssigned = true
    state = assigned
    type = BusinessRole
  , MachineEX bzncvs02ex
    assignedBy = [Information Security Specialist]
    assignmentType = conditional
    state = assigned
    type = ApplicationRole
  , MachineEx bznsa02ex
    assignedBy = [Information Security Specialist]
    assignmentType = conditional
    state = assigned
    type = ApplicationRole
  , MachineEx bznwsint01
    assignedBy = [Information Security Specialist]
    assignmentType = conditional
    state = assigned
    type = ApplicationRole
  , Technology Organization
    assignedBy = [Information Security Specialist]
    assignmentType = required
    state = assigned
    type = ITRole
  ]My question is how can I check for something specific in XMLobject list similar to the following or Java code?
  <contains>
    <ref>user.update.accounts[Lighthouse].changes[roleInfos].new</ref>
    <s>Production Server</s>
  </contains>

  I solved my problem and wanted to share the solution with yall
  1. First off the modifications are stored in a task instance, which is passed to the workflow engine
  variables.user.update.accounts[Lighthouse].changes[roleInfos].new2. I created a class to parse the list of changes which are stored as XMLobject in a task definition
  public Boolean roleChangeValidation(List<GenericAttribute> changes, String roleid)
            String type = "MANUAL";
            Boolean returncode = false;
            if (changes != null) {
                 Iterator<GenericAttribute> it = changes.iterator();
                 do {
                      if (!it.hasNext())
                           break;
                      GenericAttribute change = it.next();
                      GenericObject value = change.get();          
                      String name = value.getName();
                      if(this.Debug)
                           System.out.println(type + ":" + name);
                      if(value.containsValue(roleid))
                           if(this.Debug)
                                System.out.println(name);
                           returncode = true;
                 } while (true);
            return returncode;
       }3. I added the following actions to the update workflow, which passes the Roleid I am looking for and returns true if found.
  <Action id='1' name='Validate Privileged Role'>
    <expression>
      <block>
        <defvar name='zRoleChange'>
          <new class='com.generic.util.zRoleChange'>
            <Boolean>true</Boolean>
          </new>
        </defvar>
        <set name='_tokencheck_'>
          <invoke name='roleChangeValidation'>
            <ref>zRoleChange</ref>
            <ref>user.update.accounts[Lighthouse].changes[roleInfos].new</ref>
            <s>Production Server</s>
          </invoke>
        </set>
      </block>
    </expression>
  </Action>Edited by: OlympicAdmin on Feb 24, 2010 12:39 PM

• Direct provisioning through API - OIM 11g

  Hi,
  OIM 11g here. I am trying to use the APIs to make direct provisioning. What i have done till now:
  tcUserOperationsIntf userIntf = (tcUserOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
  ResourceData rd = userIntf.provisionResource(userkey, objectkey);
  now, in the ResourceData object i have two ids, obiKey and ouiKey. Now i need to extract the process instance key with those numbers. How can i do this?
  Using the userIntf getObjects method i can get the list of objects provisioned, iterate over it and retrieve the process instance key of the object which matches obiKey and ouiKey. Is there an easier method to do this?
  Another question, which one is the process instance key, ORC_KEY or ORC_TOS_INSTANCE_KEY ?
  Last, how do i trigger the task responsible for provisioning given the filled process form?
  thx in advance

  Ok, i guess the process instance key is ORC_KEY.
  Now i am trying to provision through APIs a resource object (say AD User) to an OIM user. I have used the provisionResource(userkey, objectkey) method, but the Create User task is not put in the Resource History (there is only the System Validation Task), and i don't know how to look for it's task id to add it manually.

• OIM 11g - automatically provision a user with AD

  Hi everyone,
  I'm a newbie with OIM and to begin, I would like to provision a user with my AD directly after we create him on OIM. So I created an Access Policy for the resource AD User with the correct Ad Server and the correct Organization and I affect it for All Users. When I create a new user and I give some additional informations like the address, phone number, email for example, this user is well provisioned on my AD but the only informations which are provisioned are his login, his first name, his last name and none of the others.
  I don't understand why. Do I have to set up an adaptater for this ? I've also checked Auto Save and Auto Pre-populate in the Process Definition but I don't know if it's the right thing to do.
  If you can help me with this. (I know this is a really "newbie" question but it'll help me a lot to understand OIM basics functionalities)
  Thanks a lot !
  Thibault

  I don't think that Oracle has used any kind of Java Code for this. You can simply create Logical task to achieve the same.
  Anyways AD Connector comes with two jar files and you can get thsoe JARs from Connector Pack itself or from Database.
  Go through Design Console guide for details.
  And also for your use case follow steps:
  Go to Form Design
  Search UD_ADUSER
  Create New Version
  Save
  Go to Prepopulate Tab
  Click Add
  Select your attribute
  Adapter as ADCS Populate First Name, Rule as Default, Order as integer value say 7
  Save
  Do mapping of variable with User Definition > Field Name

• Updated question: Both Mac & PC links possible??

  I apologize right away for posting a new topic with my updated question. But I realized I didn't phrase it right to get any help.
  The question is - is it possible make both Mac links and PC links available on one disk. They would be in separate chapters. (i.e., directing Mac users to this page and Pc to another) Anyone tried this.
  thanks.

  hi jujubes
  I just realised I misled you in my replay to your earlier post due to my poor writing skills
  to clarify:
  I suggest using Intellidisc to create the links for playback on a PC
  you would also use DVD@Access within DVDSP to create the links for Mac playback
  the links will work when played back on both mac and PC from this single disc
  the Intellidisc website gives all this in a tutorial at:
  wwwintellidisc.com

• Problem in Accessing list of users while Provisioning New User in SS

  Hi Experts!!
  I am working on Hyperion Planning applications (Hyperion 9.3.1) & we have externalized user authentication in Shared services. During the process of provisioning new user in Shared Services, the problem occurs when I try to set the application access type as “Essbase & Planning” for the new user.
  To assign the new user as “Essbase & Planning” user type, I need to select the new user from the list of available users which gets displayed on selecting global Analytic Server located under Project directory in Shared Services. However when I click on the analytic server, it shows *“loading”* on the right side screen & hour glass icon can also be seen on the screen. But the list of available users does NOT appear despite waiting for quite some time.
  While I am not able to access it even if I logon to the shared Services directly from the Server using remote access, my USA team can access the list of available users locally from their machine as well as from the server & are able to perform the step. Our server is located in USA & I access it from India. What could be the reason for this difference? Any suggestions/ input from you would be a great help for me in solving this issue.
  Thanks in advance

  Hi Rinku/John ,
  Thanks for your reply. My US team has tried this particular step from their local machine as well as directly from the Server. They were able to see the listbox containig the list of available users & could set the application access type as "Essbase & Planning" for the new user. When I remotely log into the server (using mstsc) I use the IE installed on the server to acess Shared Services. My US team also use the same IE when they log into SS directly from the server & are able to performing this step. Hence there should not be any issue with the browser ,port or firewall.
  I agree this is very weird problem because I get stuck only at this step where I have to set the application access type as 'essbase & Planning" for the new user. Rest every thing else is accessable in SS.
  Any suggestion / input would be great help.

• Provision a user into an LDAP Group/Organisation

  Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
  For example I want to allow an existing user;
  uid=User1,ou=Users,o=mycompany
  to access a resource protected by LDAP Group;
  cn=AppGroup1,ou=Groups,o=mycompany
  this group would be mapped to an Application or Business Role within Identity Manager.
  Is this possible?

  If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
  Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

• Resource account password set during User Update process.

  Hi friends,
  I added to the Update WF a step to initialize an account password when, during the update of the user, IDM creates the new resource account.
  This is an initial password (known).
  This event basically happens in two User's Update cases:
  A. when the account was (accidentally) removed from the resource
  B. when a new Role requires to add a new resource account to the user
  In both cases IDM (re)creates the user account on the resource.
  In order to set this account initial password, I check (in the Update WF) the value of 'user.update.toCreate': if it contains the resource name, then I set the pw after the account has been provisioned.
  This method fails during case B. only when, for some reason, the resource account already exists BEFORE the update starts: even if the account is already there, IDM sets 'user.update.toCreate', leading my step to reset the account password to the initial value.
  What could I check in order to avoid it? (I don't want to reset account passwords when linking existing accounts)
  The only way I see at the moment would be to query the resource at the beginning of the Update WF to check if the account is already there...
  MTIA

  Hi,
  Have you found a resolution to this problem?
  Thanks
  Edited by: sun_to_Orcl on Jan 31, 2010 8:28 PM

• Adding user challenge questions.

  I have been successful in reading and changing questions and answers programmatically but have not been able to add new user questions. (I have been able to add them through IDM online interface.)
  Does anyone know how to add new user challenge questions?

  I am curious at what point your doing this? I have a set of challenge questions and answers in an LDAP that I would like to use to populate the fields inside of iDM. This way, I could utilze the iDM screens/logic when a user forgets their password. I would also need to keep these fields updated in iDM as they could change in the LDAP. Any suggestions?

• OIM - Direct provisioning

  Hi,
  We have a following requirement to be implemented in OIM.
  1.There are two Resource Objects ( ResourceObject1 and ResourceObject2)
  2.Both the resource objects are process form fields which are similar.
  3.Once an user get provisioned to ResourceObject1 ,I need to provision the user automatically to ResourceObject2. (Need to get the processform data of ResourceObject1 and set the same values to ResourceObject2)
  May I know how I can implement this?.Thanks in advance.

  ProvisionResource API :
  tcUserOperationsIntf userIntf = oimClient.getService(tcUserOperationsIntf.class);
            try {
                 userIntf.provisionResource(userKey, objectKey);
                 tcResultSet objResultSet = userIntf.getObjects(userKey);
                 int objCount = objResultSet.getRowCount();
                 System.out.println("Read Child Data :: No of Objects or Resources found for userKey = " + userKey + " is = " + objCount);
                 //iterate through the object details to find out the Process Key
                 for (int count = 0; count < objCount; count++) {
                      objResultSet.goToRow(count);
                      System.out.println("Resource Object Name from Adapter :- "+resourceObjectName);
                      if (objResultSet.getStringValue("Objects.Name").equalsIgnoreCase(resourceObjectName)) {
                           processInstanceKey = objResultSet.getLongValue("Process Instance.Key");
  Here you get processInstacneKey now using tcFormInstanceOperationsIntf - setProcessFormData(processInstanceKey,dataMap) update process form data.