Direct Provisioning AD - User Update Question
Hello,
I was able to successfully provision user to Active Directory by direct provisioning (Adding AD User from resources tab). However when i update user profile in OIM corresponding AD User resource form data is not getting updated. So when i add the task (through resource history) of updating say first name or email address, the updates are not going through. Am i missing something? how does the AD User resoruce form data get updated.
thanks in advance,
Prasad.
sorry i did not provide all the details i guess. I am getting close i think but here is what i have done so far:
1. Lookup.USR_PROCESS_TRIGGERS - added USR_EMAIL and "Change Email"
2. "AD User" Provisioning process definition - Added "Change Email" task (details below)
General tab - task name (Change Email), conditional - checked, required for completion (checked), allow cancellation while pending (checked), Allow multiple instances (checked), task effect (no effect)
Integration TAb -
added "adpADCSCHANGEATTRIBUTE, status ready,
adapter variable (variable name - adapter return value), (data type - string), Map To (Response Code)
adapter variable (variable name - sConfigurationLookup, (data type - string), (map to - literal), (Qualifier - String), (Literal Value, Lookup.AD.Configuration)
adapter variable (variable name - ADServer, (data type - IT Resouce (AD SErver)), (map to - Process Data), (Qualifier - AD Server)
adapter variable (variable name - processKeyInstance, (data type - string), (map to - Process Data), (Qualifier - process instance)
adapter variable (variable name - propertyName, (data type - String), (map to - literal), (Qualifier - String), (Literal value - mail)
Everything else is the default. The task is getting fired and Active directory account is getting an empty field, because the value in OIM attribute is not getting sent to the resource AD User Form. I reused one of AD connector's adpADCSCHANGEATTRIBUTE adapter for this. does this not work, is there anything else that i need to do.
Created a pre-populate adapter - AD Prepopulate E Mail and addeded ito AD USER form. The form value still is not getting update with OIM value, I am doing something wrong here i guess.
I can provide more detail if needed.
Thanks much,
Prasad.
Edited by: Prasad on Oct 27, 2011 12:32 PM
Edited by: Prasad on Oct 27, 2011 2:56 PM
Similar Messages
-
AD Connector direct provisioning User Account Password Problem
All,
Created an AD connector and provisioned a user between OIM 11.1.1.3 and Active Directory. Provisoning status is "provisioned" and looks like everything appears to be working. However when i try to login to AD directly, I get a credential invalid error. Has any one come accross this problem before. I did not see this issue in a previous effort, however the only difference that i can think of is that in the current environment there is no SSL on AD i am directly working with port 389 and useSSL = no on ADITResource.
Any help for debugging this is much appreciated.
Thanks in advance,
Prasad.If you are not using SSL, then no password is set for the user in AD. I do not know what limitations there are when trying to login, but I would check with your AD admins, and make sure the account looks valid. They might need to be a member of a certain domain group, or have a different userAccountControl value.
-Kevin -
OIM to OID direct provisioning to a particular OU
Hello - Can some one suggest if provisioning to a partciluar ou in OID directory is possible from OIM using configuration as oppose to coding?
let say, my DIT looks like this:
dc=abc,dc=com
o=Org-A
- ou=unit1A
- ou=unit2A
- ou=unit10A
o=Org-B
- ou=unit1B
- ou=unit2B
- ou=unit10B
I can provision user account to OID fine OTTB i.e. using the default connector configuration and adding them to cn=users container.
But now if I want to add user to a particular ou in OID then what is required (high level steps would be great).
Just to clarify, I want to pick the ou during user creation e.g. if I want i should be able to pick ou=unit1A or ou=unit1B.
Thank you.
Edited by: user9231583 on 09-Mar-2010 21:08
Just wanted to update the question, after testing few fields I can provision user account to either o=Org-A level or if I can create a new ou under the top node dc=abc,dc=com then I can provision the user but I am not sure what config changes are required to add user under the unit1a or unit2a? Any suggestions please.Thanks everyone who replied but I guess I have not explained it clearly, The question is how to provision under an ou=Unit1A that is under o=Org-A.
Here is some information that I have configured that might help to point me to the right direction. I would appreciate any help. hopefully it make sense.
The process form contain Container DN field. This field is defined as LookupField in the process form.
The lookup table from which the Container DN gets the value is Lookup.OID.Organization
I have populated my Lookup.OID.Organization with the Organization units that I have created in OID; from my above example it contains values like
Code key Decode
ou=Unit1A unit1A
ou=Unit2A unit2A
ou=Unit1B unit1B
etc
The values for ldapOrgDNPrefix and ldapOrgUnitObjectClass in Lookup.OID.configuration is set as follows:
ldapOrgDNPrefix=ou
ldapOrgUnitObjectClass=organizationalUnit
When I try to provision user to these ou (unit1A or unit1B), i get "no such object" return error which makes sense since OIM is trying to add this user under ou=unit1A,dc=abc,dc=com which does not exist in OID. It should be ou=unit1A,o=org-A,dc=abc,dc=com but I am not sure how to tell that to OIM.
Just to you know:
I can provision either at the o=Org-A level by changing the values in Lookup.OID.configuration lookup table to ldapOrgDNPrefix=o and ldapOrgUnitObjectClass=organization
OR
If i create an organizational unit ou=Test under the top node i.e. dc=abc,dc=com and then change the values in Lookup.OID.configuration lookup table to ldapOrgDNPrefix=ou and ldapOrgUnitObjectClass=organizationalUnit then I can provision to ou=Test.dc=abc,dc=com
but I am not able to provision under ou=unit1A if it is under o=Org-A.
Thank you. -
OIM 11g DBAT connector - user update not working after target recon
Hi,
I have configured a resource (XSVR3) with the DBAT 9.1.0.5.0 connector to do provisioning and target recon to and from the same custom database table, following the example found on the connector guide. Now what happens is the following:
- if I first provision the resource to the user everything works fine
- if a resource is first assigned to a user as a result of a target recon, the connector then fails at propagating to the table any changes I make in the process form, returning the following error:
<8-gen-2013 16.44.16 CET> <Error> <OIMCP.DATC> <BEA-000000> <Class/Method: DBFacade/updateParentRecord encounter some problems: Empty parent row cannot be updated. Please ensure to run reconciliation task to bring the systems in sync.>
<8-gen-2013 16.44.16 CET> <Error> <OIMCP.DATC> <BEA-000000> <Class/Method: DBProvisioningTransportProvider/sendData encounter some problems: DB_UPDATE_EMPTY_RECORD_ERROR
com.thortech.xl.gc.exception.DBException: DB_UPDATE_EMPTY_RECORD_ERROR
at com.thortech.xl.gc.impl.common.DBFacade.updateParentRecord(Unknown Source)
at com.thortech.xl.gc.impl.prov.DBProvisioningTransportProvider.sendData(Unknown Source)
It looks like the connector is unable to find the record that needs to be updated. I've looked into the process form table of the resource on the DB (called UD_XSVR3), and I noticed that records resulting from target reconciliation have a null in the UD_XSVR3_ID column, while records resulting from a direct provisioning have the username in the same column. Updating manually the column in the first kind of records fixes the issue, but I need to know if/what have I missed in the connector configuration.
thanks in advance
Alex
Edited by: Prorad on Jan 9, 2013 3:02 AMHi, Prorad,
We are having same issue. What's the resolution for the issue? Any hints will be great.
Thanks,
Vincent -
[OIM] Error in Direct Provisioning (with auto save form) - GTC DB App Table
Hi,
I am getting an error when setting up direct provision of a GTC DB App Conn using OIM access policy (and group membership) or through manual provisioning with prepopulate and auto save form.
Manual provisioning with prepopulate ONLY (not with auto save form) WORKS!!!
Some information about my OIM config:
- Prepopulate adapters are set up on both forms (parent and child)
- "Auto prepopulate" and "Auto save form" are set up at Process Definition
- For direct provisioning, I have created an access policy with an associated group which has a membership rule
What it is working:
- Provisioning manually, using prepopulate adapters only, not auto save form. Both tables are updated properly
- All *3 tasks are called and finished with status=Completed*: "System Validation", "Create User" and "Child Table UD_<connector child table name>_US row Inserted"
Testing direct provisioning:
- I have tested adding the resource manually with prepopulate and autosave form configured, and also through access policy/group membership. The error is the same on both tests
- The resource is displayed as provisioned and it is created an entry in the parent table of the resource, but not on child table
- I also observed that only: "System Validation" and "Create User" tasks were executed (status=Completed). But it is missing the task "Child Table UD_<connector child table name>_US row Inserted"
- The error log info displays only an error regarding to UGP table (Groups info) but I am not sure if that is the cause of entry creation on child table.
It seems the SQL stmt tries to get ugp_name (group name) using ugp_key but that has null value.
"SELECT ugp_name FROM ugp WHERE ugp_key=java.sql.SQLSyntaxErrorException: ORA-00936: missing expression"
Note: When testing manually (without auto save form), I got "SELECT ugp_name FROM ugp WHERE ugp_key=1" which it is the same SQL stmt but the value is provided.
My guess:
- It seems that error is aborting the whole execution process so "Child Table UD_<connector child table name>_US row Inserted" task does not run, even though previous tasks are finished with the status=Completed. Consequently, the entry is not created on child table.
Please, any guess or help would be very helpful. In case nothing works, I guess I will have to create and customize a "Update child Form" task as an workaround which would be called after "Create User" task.
Regards,
Hugo
My environment:
- Windows 2003, WebLogic 10.3.0.0, OIM 9.1.0.2 BL4, Oracle 10g, Java 1.6, DB App Table Connector 9.1.0.2 (from October 2009)
- Target Resource: Parent and Child Table (Oracle 10g - the same OIM DB)An update:
I solved that error about "ORA-00936: missing expression" applying OIM 9.1.0.2 BP05. That was not impacting my issue regarding direct provisioning with auto save form and child form.
So please if anyone can confirm:
- Can I set up prepopulate adapters on child forms AND also use "auto save form" on GTC DB App Table connector?
If not, any suggestion?
Regards
Hugo -
Provisioning a user in MSAD from OIM
Hi all,
I am trying to provision a user from OIM to MSAD through direct provisioning. After performing the steps for provisioning, i get the status of create user as rejected and the task is asssigned to xelsysadm for approval though it is direct povisioning.
Please help me to know why the user is not gettin provisioned in MSADhi Rajiv,
thanks...
i have run the AD Organisation lookup Recon and have given the following parameters
Lookup Search Filter: (|(objectclass=OrganizationalUnit)(objectclass=container))
Search Base: DC=<domain_name2>,DC=<domain_name1>,DC=com
Recon Type: Update
IT Resource Name: ADITResource
AttrName For Decode Value In Lookup: distinguishedName
AttrName For Code Value In Lookup: distinguishedName
Lookup Code Name: Lookup.ADReconciliation.Organization
Configuration Lookup: Lookup.AD.Configuration
But still theres no value for Organisation Lookup in process form for provisioning the user. what could be the cause for the same?
Also i was testing if the connector is installed properly by using the testing utility. i used the following command to run it : . runADtest.sh 2
But i got the following error.
Exception in thread "Main Thread" java.lang.NoClassDefFoundError: com/thortech/xl/integration/ActiveDirectory/test/ADTestClient
Caused by: java.lang.ClassNotFoundException: com.thortech.xl.integration.ActiveDirectory.test.ADTestClient
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
Could not find the main class: com.thortech.xl.integration.ActiveDirectory.test.ADTestClient. Program will exit.
Please help me for this also.
Edited by: 827805 on Feb 9, 2011 4:11 AM -
When I access user.update.accounts[Lighthouse].changes[roleInfos].new it returns a list of XMLObjects, which are the new list of roles to be provisioned in IDM. The following is an example:
<GenericAttribute>
<Object>
<Attribute name='attribute'>
<Object name='Production Server'>
<Attribute name='directlyAssigned'>
<Boolean>true</Boolean>
</Attribute>
<Attribute name='state' value='assigned'/>
<Attribute name='type' value='BusinessRole'/>
</Object>
</Attribute>
</Object>
</GenericAttribute>I would like to execute a specific transition when a specific role is identified within work flow transition from this list. So I thought I could try the following:
<contains>
<ref>user.update.accounts[Lighthouse].changes[roleInfos].new</ref>
<s>Production Server</s>
</contains>This does not work, but in my workflow debug I see the following:
Resolved reference user.update.accounts[Lighthouse].changes[roleInfos].new = [Corporate Domain Administrator
assignedBy = [Information Security Specialist]
assignmentType = conditional
state = assigned
type = ITRole
, Employee Production
assignedBy = [Information Security Specialist]
assignmentType = required
state = assigned
type = ITRole
, IT Organization
assignedBy = [Information Security Specialist]
assignmentType = required
state = assigned
type = ITRole
, Information Security
assignedBy = [Information Security Specialist]
assignmentType = required
state = assigned
type = ITRole
, Information Security Specialist
directlyAssigned = true
state = assigned
type = BusinessRole
, MachineEX bzncvs02ex
assignedBy = [Information Security Specialist]
assignmentType = conditional
state = assigned
type = ApplicationRole
, MachineEx bznsa02ex
assignedBy = [Information Security Specialist]
assignmentType = conditional
state = assigned
type = ApplicationRole
, MachineEx bznwsint01
assignedBy = [Information Security Specialist]
assignmentType = conditional
state = assigned
type = ApplicationRole
, Technology Organization
assignedBy = [Information Security Specialist]
assignmentType = required
state = assigned
type = ITRole
]My question is how can I check for something specific in XMLobject list similar to the following or Java code?
<contains>
<ref>user.update.accounts[Lighthouse].changes[roleInfos].new</ref>
<s>Production Server</s>
</contains>I solved my problem and wanted to share the solution with yall
1. First off the modifications are stored in a task instance, which is passed to the workflow engine
variables.user.update.accounts[Lighthouse].changes[roleInfos].new2. I created a class to parse the list of changes which are stored as XMLobject in a task definition
public Boolean roleChangeValidation(List<GenericAttribute> changes, String roleid)
String type = "MANUAL";
Boolean returncode = false;
if (changes != null) {
Iterator<GenericAttribute> it = changes.iterator();
do {
if (!it.hasNext())
break;
GenericAttribute change = it.next();
GenericObject value = change.get();
String name = value.getName();
if(this.Debug)
System.out.println(type + ":" + name);
if(value.containsValue(roleid))
if(this.Debug)
System.out.println(name);
returncode = true;
} while (true);
return returncode;
}3. I added the following actions to the update workflow, which passes the Roleid I am looking for and returns true if found.
<Action id='1' name='Validate Privileged Role'>
<expression>
<block>
<defvar name='zRoleChange'>
<new class='com.generic.util.zRoleChange'>
<Boolean>true</Boolean>
</new>
</defvar>
<set name='_tokencheck_'>
<invoke name='roleChangeValidation'>
<ref>zRoleChange</ref>
<ref>user.update.accounts[Lighthouse].changes[roleInfos].new</ref>
<s>Production Server</s>
</invoke>
</set>
</block>
</expression>
</Action>Edited by: OlympicAdmin on Feb 24, 2010 12:39 PM -
Direct provisioning through API - OIM 11g
Hi,
OIM 11g here. I am trying to use the APIs to make direct provisioning. What i have done till now:
tcUserOperationsIntf userIntf = (tcUserOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
ResourceData rd = userIntf.provisionResource(userkey, objectkey);
now, in the ResourceData object i have two ids, obiKey and ouiKey. Now i need to extract the process instance key with those numbers. How can i do this?
Using the userIntf getObjects method i can get the list of objects provisioned, iterate over it and retrieve the process instance key of the object which matches obiKey and ouiKey. Is there an easier method to do this?
Another question, which one is the process instance key, ORC_KEY or ORC_TOS_INSTANCE_KEY ?
Last, how do i trigger the task responsible for provisioning given the filled process form?
thx in advanceOk, i guess the process instance key is ORC_KEY.
Now i am trying to provision through APIs a resource object (say AD User) to an OIM user. I have used the provisionResource(userkey, objectkey) method, but the Create User task is not put in the Resource History (there is only the System Validation Task), and i don't know how to look for it's task id to add it manually. -
OIM 11g - automatically provision a user with AD
Hi everyone,
I'm a newbie with OIM and to begin, I would like to provision a user with my AD directly after we create him on OIM. So I created an Access Policy for the resource AD User with the correct Ad Server and the correct Organization and I affect it for All Users. When I create a new user and I give some additional informations like the address, phone number, email for example, this user is well provisioned on my AD but the only informations which are provisioned are his login, his first name, his last name and none of the others.
I don't understand why. Do I have to set up an adaptater for this ? I've also checked Auto Save and Auto Pre-populate in the Process Definition but I don't know if it's the right thing to do.
If you can help me with this. (I know this is a really "newbie" question but it'll help me a lot to understand OIM basics functionalities)
Thanks a lot !
ThibaultI don't think that Oracle has used any kind of Java Code for this. You can simply create Logical task to achieve the same.
Anyways AD Connector comes with two jar files and you can get thsoe JARs from Connector Pack itself or from Database.
Go through Design Console guide for details.
And also for your use case follow steps:
Go to Form Design
Search UD_ADUSER
Create New Version
Save
Go to Prepopulate Tab
Click Add
Select your attribute
Adapter as ADCS Populate First Name, Rule as Default, Order as integer value say 7
Save
Do mapping of variable with User Definition > Field Name -
Updated question: Both Mac & PC links possible??
I apologize right away for posting a new topic with my updated question. But I realized I didn't phrase it right to get any help.
The question is - is it possible make both Mac links and PC links available on one disk. They would be in separate chapters. (i.e., directing Mac users to this page and Pc to another) Anyone tried this.
thanks.hi jujubes
I just realised I misled you in my replay to your earlier post due to my poor writing skills
to clarify:
I suggest using Intellidisc to create the links for playback on a PC
you would also use DVD@Access within DVDSP to create the links for Mac playback
the links will work when played back on both mac and PC from this single disc
the Intellidisc website gives all this in a tutorial at:
wwwintellidisc.com -
Problem in Accessing list of users while Provisioning New User in SS
Hi Experts!!
I am working on Hyperion Planning applications (Hyperion 9.3.1) & we have externalized user authentication in Shared services. During the process of provisioning new user in Shared Services, the problem occurs when I try to set the application access type as “Essbase & Planning” for the new user.
To assign the new user as “Essbase & Planning” user type, I need to select the new user from the list of available users which gets displayed on selecting global Analytic Server located under Project directory in Shared Services. However when I click on the analytic server, it shows *“loading”* on the right side screen & hour glass icon can also be seen on the screen. But the list of available users does NOT appear despite waiting for quite some time.
While I am not able to access it even if I logon to the shared Services directly from the Server using remote access, my USA team can access the list of available users locally from their machine as well as from the server & are able to perform the step. Our server is located in USA & I access it from India. What could be the reason for this difference? Any suggestions/ input from you would be a great help for me in solving this issue.
Thanks in advanceHi Rinku/John ,
Thanks for your reply. My US team has tried this particular step from their local machine as well as directly from the Server. They were able to see the listbox containig the list of available users & could set the application access type as "Essbase & Planning" for the new user. When I remotely log into the server (using mstsc) I use the IE installed on the server to acess Shared Services. My US team also use the same IE when they log into SS directly from the server & are able to performing this step. Hence there should not be any issue with the browser ,port or firewall.
I agree this is very weird problem because I get stuck only at this step where I have to set the application access type as 'essbase & Planning" for the new user. Rest every thing else is accessable in SS.
Any suggestion / input would be great help. -
Provision a user into an LDAP Group/Organisation
Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
For example I want to allow an existing user;
uid=User1,ou=Users,o=mycompany
to access a resource protected by LDAP Group;
cn=AppGroup1,ou=Groups,o=mycompany
this group would be mapped to an Application or Business Role within Identity Manager.
Is this possible?If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do? -
Resource account password set during User Update process.
Hi friends,
I added to the Update WF a step to initialize an account password when, during the update of the user, IDM creates the new resource account.
This is an initial password (known).
This event basically happens in two User's Update cases:
A. when the account was (accidentally) removed from the resource
B. when a new Role requires to add a new resource account to the user
In both cases IDM (re)creates the user account on the resource.
In order to set this account initial password, I check (in the Update WF) the value of 'user.update.toCreate': if it contains the resource name, then I set the pw after the account has been provisioned.
This method fails during case B. only when, for some reason, the resource account already exists BEFORE the update starts: even if the account is already there, IDM sets 'user.update.toCreate', leading my step to reset the account password to the initial value.
What could I check in order to avoid it? (I don't want to reset account passwords when linking existing accounts)
The only way I see at the moment would be to query the resource at the beginning of the Update WF to check if the account is already there...
MTIAHi,
Have you found a resolution to this problem?
Thanks
Edited by: sun_to_Orcl on Jan 31, 2010 8:28 PM -
Adding user challenge questions.
I have been successful in reading and changing questions and answers programmatically but have not been able to add new user questions. (I have been able to add them through IDM online interface.)
Does anyone know how to add new user challenge questions?I am curious at what point your doing this? I have a set of challenge questions and answers in an LDAP that I would like to use to populate the fields inside of iDM. This way, I could utilze the iDM screens/logic when a user forgets their password. I would also need to keep these fields updated in iDM as they could change in the LDAP. Any suggestions?
-
Hi,
We have a following requirement to be implemented in OIM.
1.There are two Resource Objects ( ResourceObject1 and ResourceObject2)
2.Both the resource objects are process form fields which are similar.
3.Once an user get provisioned to ResourceObject1 ,I need to provision the user automatically to ResourceObject2. (Need to get the processform data of ResourceObject1 and set the same values to ResourceObject2)
May I know how I can implement this?.Thanks in advance.ProvisionResource API :
tcUserOperationsIntf userIntf = oimClient.getService(tcUserOperationsIntf.class);
try {
userIntf.provisionResource(userKey, objectKey);
tcResultSet objResultSet = userIntf.getObjects(userKey);
int objCount = objResultSet.getRowCount();
System.out.println("Read Child Data :: No of Objects or Resources found for userKey = " + userKey + " is = " + objCount);
//iterate through the object details to find out the Process Key
for (int count = 0; count < objCount; count++) {
objResultSet.goToRow(count);
System.out.println("Resource Object Name from Adapter :- "+resourceObjectName);
if (objResultSet.getStringValue("Objects.Name").equalsIgnoreCase(resourceObjectName)) {
processInstanceKey = objResultSet.getLongValue("Process Instance.Key");
Here you get processInstacneKey now using tcFormInstanceOperationsIntf - setProcessFormData(processInstanceKey,dataMap) update process form data.
Maybe you are looking for
-
N80 and Serious Video problems
I am so not impressed with the Nokia N80 Video Function. I am having major problems in playing 95% of my videos from my old K750 which plays them with out problems. Real player opens. Then stops for s few seconds starts again plays about 4 seconds, s
-
IMac won't start up - just have apple logo plus 'processing' symbol active?
Unable to start computer.
-
HT4623 I can't active the IP after update
My IP is 3GS. After i update it to IOS 6.1.2, I can't active if although I have connected to Internet.
-
External Library in Web Dynpro DC
Hi All, I am trying to use an external library in my web dynpro development component. I have already followed the steps that are named in other threads which are: 1. Create an External Library DC, add the library to the lib folder, and then add the
-
Why won't my PHOTOS appear when move from OS( to OSX? Get Unix files!
This is the problem with keeping photos electronically. I copied a number of jpeg photos from my G4 OS 9.2 to my G4 Dual OSX via SanDisk and they all appear in the desktop as Unix files! Are they worthless?