IDM reconciliation logs

Similar Messages

• IDM Job Logs

  Friends,
  We are in the process of rolling out IDM password self service. We configured developement and production. For some reasons we had to delete the production identity store and recreated.
  From the time we did that, I cannot see job logs for any tasks except for the initial load. So when I inititate the tasks for setting the Q&A it completes successfully but I cannot see it in the overall job log or individual job log.
  Any thoughts..
  Regards,
  Muthu Kumaran KG

  Somehow I am not surprised that Oracle is the backend... What version?
  I would advise checking with your DBA that all of the mxmc users have the correct privileges and that the correct privilieges have been granted to the IDM database. Are you getting any error messages in the dispatcher?
  Also from the IDM end I would double check all of the connection strings, make sure that IDM is using Java 1.5 and that your are using the 1.2 JDBC drivers.  I've found this to generally be the most reliable connection.
  Good Luck!

• IDM Reconciliation Pending Error

  Hi all,
  I am supporting IDM Application and I have an issue where the Reconciliation process for almost all the resources are in "Recon:Pending" Status and Last Reconciled date and time shows as "never".
  For few resources, there seems to be no error but the process has got stopped immediately or in a second or so and therefore only few accounts have been processed but still in pending status.
  For other resources, there are errors like:
  Abnormal disconnect from SSH Server: Could not connect to Resource: Auth fail (OR)
  ksh: sudo: not found (OR)
  The wait for a response exceeded the configured timeout while fetching account from resource, etc
  Can someone please help me know and understand why the Reconciliation process doesnt seem to work fine and what can be done. This is the second time I am facing the issue, last time was a month back. We had rebooted IDM webservers as part of our resolution to run the process properly as the next scheduled reconciliations also would not start.
  Please help...Thanks in advance...
  Priyanka.

  Hello Experts,
  Could you someone update the fix regarding the issue.
  Thanks and Regards
  Thirumal.
  Edited by: Thirumalai Malai on Jun 3, 2009 4:09 AM

• IdM Audit Log

  Does Identity Manager keep a record of all events like adds/deletes/modifies to entries it manages?
  Are all attributes and values added recorded?
  Are all attributes and values (before and after modification) recorded on updates?
  Are all delete entry events recorded?
  If so, how would I extract this information out of IdM to a log FILE?
  Also, about how much effort is involved in creating the desired audit log FILE.
  (Potential) Customers of Identity manager here have asked, after being shown a quick demo of IdM where is the ability to get statistical info e.g. how many entries added in past 24 hours/week/month? how many email accounts were created in past 24 hours/week/month etc etc...
  I/they see a screen audit report as an IdM task but it doesnt seem to be able to dump useful information to a file. A file can be manipulated to produce these statistics, a screen cannot. This file can also be used by other external systems of course.

  I cannot agree more with Mr greenfan88:
  Clients should have a HIGH expectation in a system such as IDM which relates to provisionning, meta-directory and workflow
  The main reason beeing that business processes are the core driver of successfull projects. Technical things comes in second place. Thus processes need to be highly traceable and reports customizable
  What I think of IDM Reports:
  * Nearly half of the standard reports are administrative reports (ex: list the connectors status, list the admins...) => No business value
  * Other reports are pure AuditLog reports that correspond to a grep on logs => Low business value
  * There are as well resource risk reports that scan inactive accounts... => No business value
  * One report type provide statistical information which is good
  * Only one report consolidate information (<> from just an audilog grep listing)
  All these reports have low business value:
  1) the attributes are technical ones
  2) the reports types are frozen
  3) Consolidation is very low
  4) Scoping/Security of reports is based on ORGANIZATIONS. Very limited
  5) Inputing parameters such as a date range, people/account status (active/inactive), or departement perimeter is impossible or very difficult to achieve
  What I think of IDM AUDITOR:
  * Quite the same since lots of reports are administratove
  * Auditor introduces the notion of COMPLIANCE rules. This is good BUT it should be extended to business attributes, time ranges, active/inactive status...
  Except the COMPLIANCE addition, I don't see much interesting features from Auditor. It is still in V1 or beta ?
  => I hope the product line will improve to include REAL REPORTS like the ones we can make with BUSINESS OBJECTS or CRYSTAL REPORTS...
  Rgds,

• Slow Sun IDM Reconciliation Performance

  We are currently reconciling an Oracle resource and provisioning the data to Active Directory. We were provisioning at 12.5 accounts / minute, but have recently started provisioning at 3 accounts / minute.
  If anyone is provisioning to Active Directory, what kind of performance are you getting?
  Also, does anyone have any suggestions on improving the performance of Active Directory provisioning?

  instead of having the list of 1400 objectgroups(ou) in the available organization in the Resource configuration, i have now only an objectclass "ID#All#, display name="All"
  this was usggested by sun suport and resolved my issue....
  now reconcile occurs in 4 hrs rather than the 27 hrs it used to take.

• Looking for a way to log privilege adds even when the user has that priv

  We've run into a situation where we want IDM to log privilege adds/removes, even when that privilege already exists (for add) or doesn't exist (for remove) on a person.  Let me give some background.
  We are a small team working on an IDM project, each team member with 6-30 months of experience with the IDM product.  We're using 7.1.
  We have two systems, one of which is queryable and (certain) privileges updatable via REST API -- we'll call this system REST.  The second system of course is IDM.
  When an IDM privilege is added or removed, the business requirement is to always keep IDM and REST in sync, privilege-wise.  This is no problem and we have provisioning set up to make the API call, and it works great.  However, if there is a problem with the REST API (network issue, just plain down, etc.) this sync can't happen.  So, within the provisioning framework, if there is a failure, the failure is logged and the privilege is reverted, keeping REST and IDM synced.  A job runs regularly to check this log table and re-attempt the appropriate action, which of course will trigger provisioning again, hopefully successfully.
  The problem occurs in a situation like this, where each point comes in chronological order.
  1. User X gets privilege Y granted within an IDM UI.
  2. Provisioning triggers, but for some reason the REST API call fails (twice, because of retry).
  3. The failure task for the REST API call removes privilege Y from user X.  The error is logged.
  4. After a while, some job runs which removes privilege Y from all users whose names begin with X.  Even if the job explicitly removes privilege Y from user X, this is not logged in the system in any way, doesn't trigger provisioning, etc.
  5. After another while, the "retry job" runs and attempts action #1 again.  This time, the provisioning succeeds.  Now user X has privilege Y on both IDM and REST.  However, because of step 4, clearly user X should not have privilege Y.
  The same (well, reverse) issue occurs when removing the priv in step 1 and doing a grant in step 4.  During tests, one can just set up a To Identity Center step and remove/assign a privilege to an arbitrary person, then run the job containing this step repeatedly.  If the action has no net effect, there's no record (in, for example, sentries, oentries, or indeed in mxi_(old)values).  It would be great if there was a generic way to cause these actions to be logged, and we've actually thought of a couple other cases where this logging would be useful as well.  Is there some simple way?  Is it already logged in some esoteric table we haven't thought of?
  Any thoughts on this interesting scenario would be appreciated.  Thanks!

  Hi Chris,
  If I understand correctly, since you are using the log to ensure that the privileges are synced.
  Any chance you could enhance step 4 to remove information about the failed assignment from the log, so that it will not be retried?
  Note also, that this is improved in IdM7.2 and the framework. You will only get the privilege assigned after the add-member task has successfully assigned the privilege in the back-end system (which is what you are trying to achieve).
  Best regard
  John Erik Setsaas
  Development Architect IdM

• Audit Log Report generating an "Out of Memory" error message.

  Greetings. We are a new IDM customer. We are running IDM 6.0 with an Oracle database. We are now getting the following error message when we run the IDM Audit Log Report for Today's Activities:
  "java.lang.OutOfMemoryError".
  How do we increase the memory setting for reporting? Thanks.

  Hi,
  I am also getting the same error. I have netbeans with tomcat andi modified the setting the netbeans.conf to
  netbeans_default_options="-J-Xms32m -J-Xmx750m -J-XX:PermSize=32m -J-XX:MaxPermSize=750m -J-Xverify:none -J-Dapple.laf.useScreenMenuBar=true"
  i have 896MB of RAM. However, the error is still showing up? Any ideas on how to resolve this?
  Thanks,

• Enabling logging for ACF2 OIM 11g

  Hi Experts,
  I want to enable logging for ACF2 connector, I want to implement the logging in OJDL as per provided by 11g.
  But in deployment guide for ACF2 i see under section of enabling logging has:
  log4j.logger.COM.IDENTITYFORGE.ORACLE.INTEGRATION.IDFACF2USEROPERATIONS=INFO
  The connector is the latest one 9.0.4.18 version.
  seems they have still leveraged Log4j.. Does is work in OIM 11g, is there a way to implement OJDL. Please help!!

  Normally we configure OJDL it will be fine for OIM
  http://idmoim.blogspot.in/2011/07/enabling-logging-in-oim-11g.html
  what you are pointing is about Ldap Gateway. and ldap gateway still having log4j. go through the connector doc you will get all the required steps
  yes for capturing ldap gateway operations log you have to enable log4j.it is fine with 11g as well
  below from connector doc:(2.9 Installing and Configuring the LDAP Gateway)
  7. To enable logging for the LDAP Gateway:
  a. Copy the log4j JAR file from the application server directory in which it is
  placed to the LDAP_INSTALL_DIR/lib directory.
  b. Extract the log4j.properties file from the
  LDAP_INSTALL_DIR/dist/idfserver.jar file.
  c. Enter a log level as the value of the log4j.rootLogger variable. For example:
  log4j.rootLogger=ERROR, A1
  d. Save and close the file.
  When you use the connector, the following log files are generated in the
  LDAP_INSTALL_DIR/logs directory:
  ■ idfserver.log.0: This is the main log file.
  ■ acf2-agent-recon.log: This is the real-time, incremental reconciliation log file
  that stores Oracle Identity Manager reconciliation messages.

• Starting OID during configuration fails

  Trying to confiugre simple OID/ODSM and it fails with the following in oidldapd01-0000.log:
  [2011-12-08T21:11:38-08:00] [OID] [NOTIFICATION:16] [] [OIDLDAPD] [host: vserv1179] [pid: 24288] [tid: 0] Main:: Sent SIGTERM to process id = 24298
  [2011-12-08T21:11:38-08:00] [OID] [NOTIFICATION:16] [] [OIDLDAPD] [host: vserv1179] [pid: 24288] [tid: 1] ProcessDispatcher: sgsluscSendPort: sendmsg failed, OS ERROR = 32
  [2011-12-08T21:11:38-08:00] [OID] [ERROR:8] [23124] [OIDLDAPD] [host: vserv1179] [pid: 24288] [tid: 1] ProcessDispatcher: The server with Process ID = 24298 is not running.
  [2011-12-08T21:11:38-08:00] [OID] [NOTIFICATION:16] [] [OIDLDAPD] [host: vserv1179] [pid: 24288] [tid: 1] ProcessDispatcher: WARNING : Shutting down
  [2011-12-08T21:11:38-08:00] [OID] [NOTIFICATION:16] [] [OIDLDAPD] [host: vserv1179] [pid: 24288] [tid: 0] Main:: WARNING : DispatcherController : OiD LDAP server exiting with status -1
  All the required database access is fine. Any pointers ?

  You may try these steps:
  You'll need to install the Microsoft Loopback adapter on the server.
  Go to Device Manager.
  Right-click on the computer name at the top of window and choose Add Legacy Hardware.
  Click Next, then "Install the hardware I manually select from a list (Advanced)"
  Scroll down and click Network adapters in the list of hardware types, and click Next.
  A list of devices will appear in a few moments, and you should choose Microsoft on the left and Loopback adapter (see below)
  Click Next and wait for the brief installation to complete.
  You may also encounter similar symptoms (OID fails to start), and these error messages in your sqlnet.log file located in %ORACLE_HOME%\network\log:
  Directory does not exist for read/write [D:\Oracle\IDM\Oracle_IDM1\log] []
  To resolve this, simply create the directory log\diag\clients in %ORACLE_HOME%.

• Not getting the login page on deploying IDM5

  I am getting the following error, from the logs, on deploying IDM 5 on Websphere 5.1
  ,any one who can help ?
  [10/11/05 12:28:54:582 EDT] 497a7658 WebGroup I SRVE0180I: [Sun Java System Identity Manager 5.0 (20050503 SP 5)] [idm] [Servlet.LOG]: /login.jsp: init
  [10/11/05 12:28:55:738 EDT] 497a7658 WebGroup E SRVE0026E: [Servlet Error]-[com.waveset.ui.util.RequestState: method <init>&#40;Ljavax/servlet/http/HttpSession&#59;Ljavax/servlet/http/HttpServletRequest&#59;Ljavax/servlet/http/HttpServletResponse&#59;Lcom/waveset/object/LighthouseContext&#59;Lcom/waveset/ui/PageInformation&#59;&#41;V not found]: java.lang.NoSuchMethodError: com.waveset.ui.util.RequestState: method <init>(Ljavax/servlet/http/HttpSession;Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;Lcom/waveset/object/LighthouseContext;Lcom/waveset/ui/PageInformation;)V not found
       at org.apache.jsp._login._jspService(_login.java:227)
       at com.ibm.ws.webcontainer.jsp.runtime.HttpJspBase.service(HttpJspBase.java:89)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.ibm.ws.webcontainer.jsp.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:344)
       at com.ibm.ws.webcontainer.jsp.servlet.JspServlet.serviceJspFile(JspServlet.java:662)
       at com.ibm.ws.webcontainer.jsp.servlet.JspServlet.service(JspServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.ibm.ws.webcontainer.servlet.StrictServletInstance.doService(StrictServletInstance.java:110)
       at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet._service(StrictLifecycleServlet.java:174)
       at com.ibm.ws.webcontainer.servlet.IdleServletState.service(StrictLifecycleServlet.java:313)
       at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet.service(StrictLifecycleServlet.java:116)
       at com.ibm.ws.webcontainer.servlet.ServletInstance.service(ServletInstance.java:283)
       at com.ibm.ws.webcontainer.servlet.ValidServletReferenceState.dispatch(ValidServletReferenceState.java:42)
       at com.ibm.ws.webcontainer.servlet.ServletInstanceReference.dispatch(ServletInstanceReference.java:40)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java:974)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:555)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:200)
       at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:119)
       at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java:276)
       at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.han

  thank you for your help,my .war did seem to be incomplete,after redeploying I am getting the following errors
  Error 500: Unable to compile class for JSP An error occurred between lines: 29 and 165 in the jsp file: /includes/getLocale.jsp Generated servlet error: C:\WebSphere\AppServer\temp\SSTHOPS91\server1\idm\idm.war\_login.java:380: cannot resolve symbol symbol : method isSupported (java.util.Locale) location: class com.waveset.msgcat.Catalog if (!Catalog.isSupported(_locale)) { ^ An error occurred between lines: 37 and 61 in the jsp file: /login.jsp Generated servlet error: C:\WebSphere\AppServer\temp\SSTHOPS91\server1\idm\idm.war\_login.java:454: cannot resolve symbol symbol : method getSession (com.waveset.object.Subject,java.lang.String,java.lang.String) location: class com.waveset.session.SessionFactory Session s = SessionFactory.getSession(sub, ^ An error occurred between lines: 39 and 109 in the jsp file: /includes/bodyEnd.jsp Generated servlet error: C:\WebSphere\AppServer\temp\SSTHOPS91\server1\idm\idm.war\_login.java:863: incompatible types found : com.waveset.security.authn.Subject required: com.waveset.object.Subject if (_wsSess != null) subj =_wsSess.getSubject(); ^ An error occurred at line: 115 in the jsp file: /includes/bodyEnd.jsp Generated servlet error: C:\WebSphere\AppServer\temp\SSTHOPS91\server1\idm\idm.war\_login.java:895: cannot resolve symbol symbol : method addUrl (java.lang.String) location: class com.waveset.ui.util.html.HtmlBuffer httpUrl.addUrl(logout_url); ^ An error occurred at line: 115 in the jsp file: /includes/bodyEnd.jsp Generated servlet error: C:\WebSphere\AppServer\temp\SSTHOPS91\server1\idm\idm.war\_login.java:896: cannot resolve symbol symbol : method addUrlArgument (java.lang.String,java.lang.String) location: class com.waveset.ui.util.html.HtmlBuffer httpUrl.addUrlArgument("lang", wps_lang); ^ An error occurred at line: 115 in the jsp file: /includes/bodyEnd.jsp Generated servlet error: C:\WebSphere\AppServer\temp\SSTHOPS91\server1\idm\idm.war\_login.java:897: cannot resolve symbol symbol : method addUrlArgument (java.lang.String,java.lang.String) location: class com.waveset.ui.util.html.HtmlBuffer httpUrl.addUrlArgument("cntry", wps_cntry); ^ 6 errors
  any clues??
  thanks in advance

• Not able to run a reconciliation from IDM on a the securID/ACE server UNIX

  I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
  Error iterating accounts for resource RES-User-RSA-Projects:
  com.waveset.util.WavesetException: Trouble constructing User 'null'
  Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
  Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
  SecurIdUnixResourceAdapter#getFeatures() Entryno args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getLoginScript() Entry no args
  SecurIdUnixResourceAdapter#getTclshPath() Entry no args
  SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
  SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
  SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
  SecurIdUnixResourceAdapter#getLoginScript() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
  SecurIdUnixResourceAdapter#procSetup() Entry no args
  SecurIdUnixResourceAdapter#procSetup() Exit void
  SecurIdUnixResourceAdapter#procTearDown() Entry no args
  SecurIdUnixResourceAdapter#procTearDown() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
  SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
  SecurIdUnixResourceAdapter#constructUser() Entry no args
  SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void

  Anybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!

• Oracle.security.idm.OperationFailureException in ucm server logs

  Hi,
  We have integrated IDM (OID and OAM) in our weblogic servers. For some specific users when they try to access, below error seems to be recorded in UCM server logs.
  Event generated by user '10819' at host 'CIS'. csJpsErrorLoadingSecurityInfo Unable to execute service method 'next'. oracle.security.idm.OperationFailureException: javax.naming.InvalidNameException: Invalid name: ldap:. javax.naming.InvalidNameException: Invalid name: ldap:. [ Details ]
  An error has occurred. The stack trace below shows more information.
  !csUserEventMessage,10819,CIS!$!$csJpsErrorLoadingSecurityInfo!csUnableToExecMethod,next!syJavaExceptionWrapper,oracle.security.idm.OperationFailureException: javax.naming.InvalidNameException: Invalid name: ldap:!syJavaExceptionWrapper,javax.naming.InvalidNameException: Invalid name: ldap:
  intradoc.common.ServiceException: csJpsErrorLoadingSecurityInfo
  at idc.provider.jps.JpsUserProvider.loadSecurityInfo(JpsUserProvider.java:601)
  at idc.provider.jps.JpsUserProvider.checkCredentials(JpsUserProvider.java:229)
  at intradoc.server.UserStorageImplementor.checkExternalProvidersForUser(UserStorageImplementor.java:653)
  at intradoc.server.UserStorageImplementor.retrieveUserDatabaseProfileDataImplement(UserStorageImplementor.java:306)
  at intradoc.server.UserStorage.retrieveUserDatabaseProfileDataEx(UserStorage.java:159)
  at intradoc.server.UserStorageUtils.loadUserData(UserStorageUtils.java:88)
  at intradoc.server.ServiceSecurityImplementor.loadUserData(ServiceSecurityImplementor.java:538)
  at intradoc.server.ServiceSecurityImplementor.globalSecurityCheck(ServiceSecurityImplementor.java:221)
  at intradoc.upload.UploadSecurityImplementor.globalSecurityCheck(UploadSecurityImplementor.java:57)
  at intradoc.server.Service.globalSecurityCheck(Service.java:2671)
  at intradoc.server.ServiceRequestImplementor.doRequest(ServiceRequestImplementor.java:678)
  at intradoc.server.Service.doRequest(Service.java:1890)
  at intradoc.server.ServiceManager.processCommand(ServiceManager.java:435)
  at intradoc.server.IdcServerThread.processRequest(IdcServerThread.java:265)
  at intradoc.server.IdcServerThread.run(IdcServerThread.java:160)
  at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
  Caused by: intradoc.common.ServiceException: !csUnableToExecMethod,next
  at intradoc.common.ClassHelper.invoke(ClassHelper.java:168)
  at intradoc.common.ClassHelper.invoke(ClassHelper.java:135)
  at idc.provider.jps.JpsUserProvider.loadSecurityInfo(JpsUserProvider.java:502)
  ... 17 more
  Caused by: oracle.security.idm.OperationFailureException: javax.naming.InvalidNameException: Invalid name: ldap:
  at oracle.security.idm.providers.stdldap.util.LDAPRealm.throwException(LDAPRealm.java:758)
  at oracle.security.idm.providers.stdldap.util.LDAPRole.getName(LDAPRole.java:360)
  at oracle.security.idm.providers.stdldap.LDRole.getName(LDRole.java:65)
  at oracle.security.idm.providers.stdldap.LDRole.&#60;init&#62;(LDRole.java:60)
  at oracle.security.idm.providers.stdldap.LDIdentityStore.getNewRoleInstance(LDIdentityStore.java:742)
  at oracle.security.idm.providers.stdldap.LDSearchResponse.next(LDSearchResponse.java:111)
  at sun.reflect.GeneratedMethodAccessor274.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
  at java.lang.reflect.Method.invoke(Method.java:611)
  at intradoc.common.ClassHelper.invokeRawEx(ClassHelper.java:195)
  at intradoc.common.ClassHelper.invokeRaw(ClassHelper.java:175)
  at intradoc.common.ClassHelper.invoke(ClassHelper.java:157)
  ... 19 more
  Caused by: javax.naming.InvalidNameException: Invalid name: ldap:
  at org.apache.harmony.jndi.internal.parser.LdapRdnParser.checkTypeRestrictionsStatic(LdapRdnParser.java:243)
  at org.apache.harmony.jndi.internal.parser.LdapRdnParser.getListForRdn(LdapRdnParser.java:226)
  at javax.naming.ldap.Rdn.&#60;init&#62;(Rdn.java:111)
  at org.apache.harmony.jndi.internal.parser.LdapNameParser.getList(LdapNameParser.java:106)
  at javax.naming.ldap.LdapName.&#60;init&#62;(LdapName.java:57)
  at oracle.security.idm.providers.stdldap.util.LDAPRole.getName(LDAPRole.java:332)
  Please suggest, how to remove this error.
  Regards
  Boopathy P

  It seems that chunking is causing the issue. In the HTTP Transport Configuration Options of your business service, disable the setting "Use Chunked Streaming Mode"
  Regards,
  Anuj

• Audit log select which can be a performance problem (IDM 6.0sp3)

  HI All,
  we have in our production environment IDM 6.0sp3 with a large number of account and about 3500000 record in waveset.log table. Recently we realized through our dba that constantly idm running continue select on a table of logs, causing an excessive use of cpu in oracle and locking then the system. The select is similar to:
  SELECT log.id, name, resourceName, accountName, objectType, objectName, action, actionDateTime, actionStatus, subject, sequence from log WHERE ( name='LOG9093A82F9D7001E5:-7BF61D3C:120D0CEFEDD:-254A' )
  these select continue for days, without the system makes something special. Is a configuration problem or a know defect solved by workaround or by release upgrade?
  My Best regards
  Stefano

  Ciao Daniela, come sta?
  You have a table DAT_MISURA partitioned by TEMPO_ASSOLUTO into 2357 partitions. Then you query based on a different column - N_SEQUENZA_DATO. Unless you specify a specific partition, that means all 2357 partitions must be checked (2357 * index lookup and block read), because Oracle doesn't know the relationship between TEMPO_ASSOLUTO and N_SEQUENZA_DATO (if there is a relationship, that is). And then 2357 result sets have to be merged.
  When you query from a specific partition, the difference between first execution and second may mostly be the parsing/optimization phase. There may also be some dynamic sampling going on (see http://www.oracleadvice.com/10g/10g_optimizer.htm) - that could be slow :-)
  There's a Jonathan Lewis note about local vs global indexes here: http://www.jlcomp.demon.co.uk/faq/slow_local.html
  The second time (16ms) is 4 times faster than the 9i method, it seems. Is that so bad?
  Spero che io abbia aiutato!
  Tanti saluti
  Nigel

• IDM : How to get the Resource name in Exclude Rule during Reconciliation?

  Hi
  Problem Statement => How to get the Resource name in Exclude Rule during Reconciliation.
  Problem Description => Apparently, we use exclude rule for not consider some account during reconciliation.
  I need the resource name in exculde rule during reconciliation. I tried with getResources() method which is an inbuilt method.But it gives all the resources are aviablable in the repository (IDM). I need only the current reconcilied resource name instead of fetching all the resouce.
  Can any one please help how to get the resource name in exclude rule during reconciliation?
  Thanks in advance for you help.
  Thanks,
  Chellappan

  Hi,
  Thanks for your reply.
  I have 50 resouces and these resouces using the same kind of exclude rules. In the exclude rule, i am using resource name to do some work. If i get the resouce name in exclude rule, then i can use the same exculde rule for 50 resources. This will minimise the rule count from 50 to 1. For that, i need resouce name.
  Thanks,
  Chellappan Sampath.

• How to force reconciliation of an LDAP resource to a fixed IdM org

  I have 3 IdM organizations: Top Top:Mailboxes and Top:Engineers.
  When the LDAP resource was created it is available to Top and Top:Engineers.
  Top:Mailboxes is a list of all the mailboxes in use at the company, Top:Engineers is just the IT dept.
  When I run a full reconciliation of the LDAP resource as Configurator, I get a huge number of disputes.. It seems that IdM is matching and linking all resource accounts against ALL Idm users, even those in IdM organizations that are not supposed to have access to the resource.
  Ok, if that is how recon works, thats it.. but is there a way I can force the reconciliation of a resource with specific IdM organizations?

  Can you show detail in xml of 'RuleLibrary:GetUserOrganization'
  like this...
  <invoke name='getOrganizationsDisplayNames' class='com.waveset.ui.FormUtil'>
  <ref>:display.session</ref>
  </invoke>
  Its still error...
  Failed to create a new user based on resource account uid=jsmith,ou=People,ou=Engineering,dc=abb,dc=com@LDAP: java.lang.ClassCastException at com.waveset.view.UserViewConverter.refreshAssignmentView(UserViewConverter.java:1035) at com.waveset.view.UserViewConverter.refresh(UserViewConverter.java:2873) at com.waveset.view.UserViewer.cycleView(UserViewer.java:2497) at com.waveset.recon.Response.processUserForm(Response.java:1050) at com.waveset.recon.Response.createNewUserFromAccount(Response.java:895) at com.waveset.recon.Response.performResponse(Response.java:128) at com.waveset.recon.ReconTask$WorkerThread.performResponse(ReconTask.java:2027) at com.waveset.recon.ReconTask$WorkerThread.respondOrRequeue(ReconTask.java:2180) at com.waveset.recon.ReconTask$WorkerThread.applyOrDeferResponse(ReconTask.java:1670) at com.waveset.recon.ReconTask$WorkerThread.reconcileAccount(ReconTask.java:1900) at com.waveset.recon.ReconTask$WorkerThread.run(ReconTask.java:2948) .