Groupwise provisioning - 'MailboxExpDate' attribute
I am working with a customer who is using Oracle Waveset 8.1, and is provisioning to Groupwise via the NDS adapter. In SIM 7.1 Groupwise was provisioned through its own adapter and it supported the management of the 'MailboxExpDate' attribute. However the combined NDS/Groupwise adapter in 8.1 does not seem to support the management of this attribute.
Has anyone else come across this? If so, how did you get around this limitation?
Hi,
I think I already explain what you need to do but let me give you some more details.I can not provide any documentations.
1.For first approach you need to go to database provisioning process and then you add a new conditional task which will update the email field.Add your adapter which will update the email field in database.Now go to ""Reconciliation Insert Received" task in same provisioning form and then go to Response and Assign your newly created task on "Event Processed" response.If you are new in OIM then this will be simplest approach.
2.For second approach there are many post in forum for creating entity adapter. You need to create an adapter of type entity and in that adapter you will have execution schedule as pre-insert,post-insert and so on.The entity adapter code will update email in database.Now you need to attach this adapter in Provisioning form which you can find "Business Rule Definition"->Data Object Manager->Search for your form name and then attach your entity adapter.
Regards
Nitesh
Similar Messages
-
AD provisioning - Prepopulate Attributes
Hi everyone,
In OIM 11g R2,
I want to provision to AD.
I can this operation.
But I can not pre-populate attributes.
In AD user form, some pre-populate attributes is defined.
In AD provisioning process definition, auto-prepopulate is selected.
What else do I have to do in OIM to carry pre-populate attributes to AD provisioning form.
Thanks.
Best Regards.this is bug with the current version of r2 release. many persons has faced the same issue.
Actually pre-populate is happen but you can see only after resource is provisioned. and same is not available under catalog page while requesting.
find the other thread.SR has been raised by this user and you can communicate with him for same.
Re: prepopulate form while requesting
--nayan -
OIM 11.1.1.5 provisioning role based objectclasses and attributes
TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
Some background:
I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE. At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them. In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'. ie. Student, Employee, Guest, etc objectclasses. I have all of the roles identified in OIM and can map them to an objectclass in LDAP
My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations?
Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
Should I create a child form containing the objectclasses and try to provision them?
Can/should I create a child form for each set of attributes by role? Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc. Would prepop and the rest of the main form functions work the same?
Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
Any help will be greatly appreciated and thank you in advanceIt is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
There may be a smarter and more out of the box way to do it but this will work.
Martin -
I'm coding in Delphi and get an "invalid argument was passed in the function call" runtime error everytime I try to update the MailBoxExpDate attribute of the User object.
I can read this attribute and view valid content in the variable and write it directly back to the attribute and it still fails.
Ideas?KW wrote:
> vDomain:=vSystem.ConnectedDomain;
> vUser:= vDomain.Users.ItemByDN(DN);
> x:= vUser.MailboxExpDate;
> vUser.MailboxExpDate:= x; If x is a string, I can examine X
> following x:= vUser.MailboxExpDate and it contains a meaningfull
> string but on assignment it always fails. Other data types have
> yielded the same results on write. I can modify this attribute in DS
> with LDAP successfully but it never syncronises with Groupwise. Is
> there a programatic way to force a resync with DS and avoid trying to
> update this Groupwise value directly?
Two possibilities come to mind:
1. The value returned by vUser.MailboxExpDate is being converted from
its returned form to a string if x is a string, but the converse is not
true when you do "vUser.MailboxExpDate:= x;". I set it as a VARIANT of
type V_DATE.
2. You need to do a vUser->Commit() if setting the mailbox exp date
returns SUCCESS.
John
DevSup SysOp 24 -
Peovisioning multivalued attribute to a Detail table in SQL using GTC
I have a trusted recon set up from Sun LDAP to OIM followed by auto provisioning to SQL's "MyUser" table using GTC. This works fine so far.
Now the difficult part of the requirements. I have a multi-valued attribute called 'AppRoles' associated to User in Sun LDAP. I want to provision this attribute to SQL's "MyUserToRole" table (this is a detail table of Master "MyUser" table). What should be the best approach to do this task ?
Thanks!
KabiFor Look-Up:
Once you run Trusted Recon, all your AppRoles are inserted into this look-up as different rows for different users. Use OIM API's for that. A basic structure could be like following:
Code - Decode
User01 - Role01,Role02
User02 - Role02,Role03,Roel04
User03 - Role08,Role12
This way all the roles are stored in this look-up. Bu the only issue with this could be the modification in the look up manually which could be tolerated as their are glitches with almost every solution implemented.
For UDF Field
Yes, their would be a limitation in the Text Area field and it is *200* characters. So if that is the case then you should go for Look-up which doesn't have such restrictions at-least for your requirement. -
GroupWise Mobility Service 2.0 now available
We're pleased to announce that Novell GroupWise Mobility Service 2.0 is
now available. This release, which replaces the former Novell Data
Synchronizer Mobility Pack, includes the following enhancements:
Performance and scalability improvements, and support for more than
1,000 devices per server
ActiveSync 12.1 protocol support
Mobility Service Monitoring Dashboard, showing real-time stats for the
overall system, for each sync agent, and for particular users and
mobile devices
Task synchronization
New address book administration options
Support for the upcoming version of GroupWise, releasing as GroupWise
2014 and code-named Windermere, including Active Directory support
through GroupWise provisioning
Support for the latest mobile device platforms like iOS7, Android 4.3,
Windows 8 and BlackBerry 10
Support for SUSE Linux Enterprise Server 11 SP3
AutoDiscover support for iOS and Windows 8 devices
And much more
Novell GroupWise and Novell Open Workgroup Suite customers with current
maintenance are entitled to this release which is available for
download here.
https://download.novell.com/Download...d=xWnnbrV7Xic~
Your world is on the move. http://www.novell.com/mobility/
We know what your world looks like. http://www.novell.com/yourworld/Joseph,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
Provisioning of groups to AD using AD connector
I want to provision groups from OIM to AD. I came to know from the AD connector guide that we can provision groups to AD.
My problem is i found that connector provisions only the following attributes to AD (Group Name, Organization Name, objectGUID, Group Type, Group Display Name).
I want to provision other attributes also like Group Scope to AD apart from the one provided above by the connector. How can i achieve this??I want to provision groups from OIM to AD. I came to know from the AD connector guide that we can provision groups to AD.
My problem is i found that connector provisions only the following attributes to AD (Group Name, Organization Name, objectGUID, Group Type, Group Display Name).
I want to provision other attributes also like Group Scope to AD apart from the one provided above by the connector. How can i achieve this?? -
Provision Process Form - Propopulate Field Problem
Hi everyone,
I mentioned this problem last week in OTN.
AD provisioning - Prepopulate Attributes
My problem is a bug and I found this bug.
Bug id : 14761208 in Oracle Support.
But there is no detail information on Oracle Support.
If this is bug and If I have to develop a button on provision form to fill prepopulate fields, how can I develop this button?
Thanks.
Best regards.
Edited by: JuniorOimDeveloper on Oct 30, 2012 8:53 AM
Edited by: JuniorOimDeveloper on Oct 31, 2012 2:35 AMHi Abhi,
Can you tell me how you have implemented populating an UDF based on Prepopulation of another UDF. I have a similar kind of requirement. It would be great if you share your code or relevant part of it.
Regards,
Sunny Ajmera -
Mail app and GroupWise mailbox via IMAP
I am using the Mail app to access my GroupWise mailbox via IMAP. I am experiencing the "neverending cache update" problems that others have reported in this forum, without any relief (shy of killing activities that appear to have stalled).
That aside, I have a question. The folder that stores mail message that I have sent in GroupWise is "Sent Items". The Mail app has gone ahead and created a "Sent Messages" folder in my mailbox for the same purpose. While this is somewhat of an inconvenience, the greater problem is that messages that I send via the Mail app are not recognized by GroupWise as "sent messages" by nature of not appearing in the "Sent Items" folder, which causes, among other things, filters to return incorrect results.
So... is there a way to control what folder the Mail app uses for sent messages on an IMAP mailbox, such as my GroupWise mailbox? (Other mail clients, such as Thunderbird, handle this situation well.)
Thanks.
- GCThank you... I suppose I should have said it didn't "seem" as flexible.
So, that is an improvement... now sent messages appear in the "Sent Items" folder as desired, rather than the "Sent Messages" that the Mail app created. One thing that I noticed now is that the message in "Sent Items" appears like it were a message stored in that folder, rather than one originating for the mailbox. Let me explain... messages sent from a native GroupWise client have attributes such as # recipients, # opened, # deleted, # accepted, #accepted, replied#, etc. None of these attributes appear for Mail app-originating messages. Is this a limitation or is there more magic to be aware of?
Thanks,
- GC -
My company uses groupwise mail client, I have finally had enough and want to use mail.app as many others do.
One problem though, I have access to other email accounts via the groupwise proxy. Is there any way to make these accounts show in mail.app?Thank you... I suppose I should have said it didn't "seem" as flexible.
So, that is an improvement... now sent messages appear in the "Sent Items" folder as desired, rather than the "Sent Messages" that the Mail app created. One thing that I noticed now is that the message in "Sent Items" appears like it were a message stored in that folder, rather than one originating for the mailbox. Let me explain... messages sent from a native GroupWise client have attributes such as # recipients, # opened, # deleted, # accepted, #accepted, replied#, etc. None of these attributes appear for Mail app-originating messages. Is this a limitation or is there more magic to be aware of?
Thanks,
- GC -
Multiple IT Resources for LDAP Server?
All,
I have a client with several Sun Java System Directory Server (SJSDS) instances, each containing separate user repositories. The schemas for each SJSDS instance have been customised - uid is not the user identifier attribute, nor is inetorgperson the user objectClass.
I have imported the SJSDS connector and am stuck at how I can represent these multiple real-world SJSDS instances in OIM. I understand that I can create separate IT Resources for each SJSDS instance, complete with their individual hostnames and IP addresses; this makes sense. However, according to the "Extending the Functionality" guide (http://download.oracle.com/docs/cd/E11223_01/doc.904/e10446/custom.htm#CIHDDEGA), the user identifier attribute and objectClass seem to be defined at the connector level through the Lookup.iPlanet.Configuration Lookup Definition? Am I correct in therefore assuming that this means all of my LDAP Server IT Resources have to share the same user identifier attribute and objectClass?
Can anyone suggest how I might be able to define unique settings for attributes such as the user identifier attribute and objectClass for each LDAP Server IT Resource? What is the standard approach?
Also, I read that there is a one-to-one relationship between a process task and its adapter. Does this therefore mean that I should create separate "Create User" adapters for the Process Definition associated with each IT Resource implemented?
Any guidance / clarification would be greatly appreciated :-)
DamianSee this is the underlying assumption for multiple instances creation in OIM for any target system:
- Create multiple IT Resources of same IT Resource type. Each one will have individual connection parameters specified in it. You know that.
- Now while provisioning, you just select anyone of this IT Resource as required, so your request is directed towards the required target.
Note
- It considers that you are always provisioning same attributes to all those targets because you will always see same process form for all targets.
- You have same objectClass for all.
- You have same 'Unique Attribute' and 'Key Fields' for reconciliation.
- Although you can modify the IT Resource for providing different attribute list for prov and recon based on your target system by providing different values for look up's in place of- AttrName.Prov.Map.iPlanet and AttrName.Recon.Map.iPlanet. But since RO, Process Form etc all are same so no such real usage.
Note - Lookup - 'AttrName.Prov.Map.iPlanet' has got one attribute objectclass. See if modifying it works. But in OIM process form, attributes will always be same
Work-Around if above doesn't work
The only thing you can do is replicate one instance of SJSDS multiple times within OIM for every OIM object. Say if you want 5 different instances of SJSDS then like following:
- Create 5 identical RO, Process Form, rules, Process Definition, Lookup's etc within xml for every OIM object that you thing will change for all these 5 instances. If anything is common then let all the 5 refer to it. Do it by copying + renaming xml.
- Now import everything in OIM. So now you can see 5 different RO like SJSDS1, SJSDS2 ,SJSDS3 .. etc for all these 5 instances and they will behave differently with no overlapping and you can configure these individually.
- But this is very critical procedure. You need to take proper care while replicating.
Hope it helps.
Thanks
Sunny
Edited by: rajsunny -
We are stuck on a FIM design.
We have a column in our SQL feed table to FIM MV named "ManualAction"
What we want to happen is that if this column has the value "YES" then FIM will not synchronize the MV entry to attached sources e.g. AD and FIM Portal.
If we try connector filter-ing on column ManualAction equals YES we either disconnect and preserve the MV attributes provided or disconnect and nullify those MV attributes. This is not what we want.
We want somehow to instruct FIM not to synchronize this MV entry if MV.ManualAction == YES
Could this be do via a Rule extension somehow??
The point of the Manual flag is that an Administrator may set one or more attributes in an AD account deliberately and does NOT want them overwritten by FIM even though the usual authoritative source value differs...
What we are thinking is ... is it possible to instruct FIM to 'skip' this MV entry at target resource(s) sync time.
I admit, I am not optimistic but I thought I could ask the FIM experts.Hello,
you can do this for normal MA in some more and maybe granular ways.
consider to sync the ManualAction also to MV and use this in manual precedence code of attribute flows in combination with lastwriter/contirbutor of the attribute.
With this you have the manual attribute values from ex. AD also in MV and so in Portal.
This is more granular because you can only have a override on the attributes you need while flowing other attributes by normal sync.
Portal is a bit restricted as you can not control the provisioning and attribute flows with code. Whats in your MV will be providioned and exported to Portal 1:1 (if there are flows of cource).
To have advanced flows on Portal MA you can implement a solution called replay MA.
See:
https://unifysolutions.jira.com/wiki/display/FIMTEAMCOM/2014-01-22+-+FIM+Replay+MA
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com -
OID Trusted reconciliation failed
Hi,
I am trying to do trusted reconciliation from OID. Reconciliation task is failed and following are the error logs found:
ERROR QuartzWorkerThread-1 XL_INTG.OID - ====================================================
ERROR QuartzWorkerThread-1 XL_INTG.OID - Exception at com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDUserReconciliationprocessBatch(): [B cannot be cast to java.lang.String
ERROR QuartzWorkerThread-1 XL_INTG.OID - ====================================================
I am trying to reconcile the OOTB fields (cn,sn,givenName,userPassword) and 2 user defined fields (text based).
Can anyone let us know when this casting exception will be thrown?
- Kalyan MutyaYep mappings are poor, I created an entity adapter for the EMP_TYPE & USR_TYPE, users are reconciling.
There is still an issue with the reconciliation.
I can provision all attributes on the OIM user account to their coresponding OID attributes, but when I reconcile I process all attributes, but the xellerate user only links the default ones
LastName
Organization
First Name
User ID
Xellerate Type
Email
Role
I have checked and rechecked the mappings, This is on 9.0.3.1672 using the 9.0.4.1 connector.
Any ideas? -
Department and Division in Identity Template not updated
Hi all,
I was recently trying to populate the attributes Department and Division dynamically for Active Directory like AccountId by doing the following in Identity Template
cn=$accountId$,ou=$Department$,ou=$Division$,dc=com
But this doesn't seem to work . IDM doesn't seem to recognize this.
I will be glad if somebody can help me with this.
Thanks in advance!!
regards,
Zebra8You're not alone, I have similar problem. Unfortunately, none of the forum posts that touch on this specific problem and/or say they found a solution, provide a specific (connect the dots) solution:
Assign users to virtual organisations? -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5244414
missing attribute container required by the identity template for resource -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5220580
missing attribute firstinitial required by identity template for resource -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5164606
'i' in employeeId -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5136857
Is it possible to set identity template dynamically? -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5133235
Identity Template issue|http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5110444
ActiveSync assigning and linking Active Directory accounts -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5110302
Error during saving a user data -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5100184
How to use a rule to generate ID for a resource? -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5093491
Error While recon -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5102663
LDAP Resource Account Creation -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5117857
Multiple accounts on AD -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5128583
multiple accounts for active directory -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5163175
Flat File Active Sync Error -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5054272
Problem changing user projects -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5064478
Problem during provisioning -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5219921
unable to get firstinitial in AD template -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5165816
Place IDM USer in specific Active directory Container based on Department -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5175931
Active Directory Error -- http://forum.java.sun.com/thread.jspa?forumID=764&threadID=5058048
Summary instructions (collected from these posts and IDM docs):
* the template is only used when an account is created
* any $attributes$ referenced in the template must be either IDM extended user attributes (i.e. always present) or in the associated resource schema map
* can also dynamically override the identity template using the attribute �accounts[<resource>].identity�
* if the attribute is only used for the template, set the schema mapping to IGNORE_ATTR to that IDM doesn�t try to provisioning the attribute
Some fuzzy/non-specific suggestions:
* may utilize workflows; i.e. modify the default create user workflow
* may involve the resource activeSync form
* suggestion that any referenced attributes need to be �global�; this either means set using �global.<attr>� syntax, they are marked as �required� in the schema map, and/or the the LDAP activeSync resource �populateGlobal� attribute is set to �true�
I'll post a solution when I figure it out. -
Provision a multivalued attribute from OIM to OID
Hi,
I have a requirement to provision a new multivalued attribute from OIM to OID.
Steps followed:
Created a child form
Attached child form to the OID Parent form
Created a process task adapter.
Created a task in process definition and the attached the adapter
Adapter code.
public String addChildData(tcDataProvider ioDatabase, long procInstKey, long childDefKey){
try{
tcFormInstanceOperationsIntf formInstOper = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
HashMap testval = new HashMap();
testval.put("UD_TESTCHIL_TESTGROUP","abcd2134");
System.out.println("testval..."+testval);
long formreturn = formInstOper.addProcessFormChildData(childDefKey,procInstKey,testval);
System.out.println("formreturn" +formreturn);
catch(Exception e){
System.out.println("exce" +e);
return "Success";
After attaching while provisioning I am seeing both parent and child forms. I have provided the values and its successfully provisioning.
But how I can provision the new OID multivalued attribute. We have to do any setting in the lookup?
Regards,
KKJust create your new adapter for add and delete from this new child table just like the other triggered tasks. If it's a multi value on the user profile, use the adapter for Add Multi Value Attribute that comes with the connector. In the property name, put in your multi value attribute name, and map the value from the child table.
-Kevin
Maybe you are looking for
-
I have an LG l196wrtq 19 inch monitor hooked up to my macbook using the mini-dvi->vga adapter. The monitor seems to not be able to detect when i put my macbook to sleep and stays on with a message saying" check signal cable". I've called LG about it
-
Hello. I would like to know how can I change the JPanel in a JFrame. Thanks a lot.
-
When I go on the internet on the right hand side you have a scrolling panel to scroll up and down websites. I am finding that when you scroll up and down my scroll sometimes sticks. I press down my left click, put the cursor on the scroll panel and u
-
Hi... I recently bought the Production Premium CS5.5 suite. Most of the programs work. (I haven't tried ALL of them. But the main ones -- Photoshop CS5.1 and After Effects -- work flawlessly.) But Premiere Pro CS5.5.0 doesn't open. Keeps giving me th
-
I have 2 ATVs. An ATV2 and ATV3. I have the latest iTunes sw on my MBPro and on the ATV3. I can see the ATV2 in iTunes and it works perfectly. I can't see the ATV3 in iTunes. I can see iTunes from the ATV3. Both ATVs and the MBPro are on the sa