Integrating OIM 9.1.0.2 - Active Directory NT 4.0

Similar Messages

• Best way to integrating mac os x client with Active Directory

  Hi hello
  What is the best way to integrating mac os x client with Active Directory ? i have one Lion Server
  For the Mac client i want Mac use Active Directory for authentification and Lion Server for manage preference.
  Tell me in lion server the magic triangle is it good for what i want do ?? 

  If you have a need now and that need will remain serviceable long enough to justifying the investment, then go with Lion Server and do the Magic Triangle.  This is nothing more than Binding OS X Server to your AD domain and kerberizing services.  Then bind your workstations to AD first, then OD.  Make sure you download Server Admin Tools for Lion.  This gives access to Workgroup Manager.  That is were you will manage your OS X Settings.
  If you are managing more than 50 Macs that need a lot of continued management, then look at JAMF. 

• OIM 11.1.1.3 - Active Directory ADGroup question

  All,
  I have used MSFT_AD_Base_9.1.1.7.0 to install active directory connector and synchronized (provision and reconciliation) oim users with the AD. I can't seem to find documentation on how to sync oim roles with with AD groups. Can you provide me some pointers for this. the deployment documetnation (MS_ActiveDirectory_Guide.pdf) indicates that i cannot run ADGroupRecon if i am on 11.1.1... version (bug Bug 9799541).
  It also appears that a resource cannot be assigned at the role level in oim 11.1.1. is there something missing from our environment, i was able to add AD User reosource to user profiles.
  Basically i cannot provision or recon group at this time.
  any help with this is much appreciated. Please let me know if you need additional information.
  Best Regards,
  Prasad.
  Edited by: Prasad on Aug 5, 2011 6:12 AM

  I don't believe there has ever been code to create OIM Groups based on AD Groups and then add the OIM Users to those groups accordingly. You would need to create a custom scheduled task that creates for a group for every entry in the lookup for the AD Groups. Then you would also need to read every user's child table entry for their AD Groups and adds the user to each one of those groups. You could also have code the runs on every Add User to Group event, that adds the user to the OIM group as well as in AD. And you can do the same for removal.
  There are lots of options, but this is not part of the OOTB Connector. This would be your own customization.
  -Kevin

• Integration Of Cisco ACS and MS Active Directory !!!

  Hi all,
  We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
  Thanks for your help
  Regards!!!
  Rafael Turriago

  Hi,
  If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
  The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
  The Remote Agent is the application responsible to exchange data with the DCs.
  You can find detailed information in the config guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• OIM 9.1.0 Integration with Active Directory 2008 R2

  Hi,
  My customer is running Root/Child AD structure based on windows 2003 w/SP2, OIM 9.1.0 deployed under one of the child domains, and integrated with child domains controllers which runs windows server 2003 as well.
  My customer has decided to upgrade his AD to Windows Server 2008 R2 domain controllers across the entire AD Forest and still wants to integrate the current OIM v9.1.0 with AD for all of his Users provisioning and password synchronizations.
  Am not sure if current OIM version of OIM 9.1.0 is compatible and supported by OIM v9.1.0 under active directory version 2008 / R2, and not sure if it can be integrated with such AD version.
  Any guidance is really appreciated.
  Also I was thinking of such scenario but also not sure of its support ability and if OIM will keep working on such scenario, the scenario is to upgrade only the AD root domain to Windows 2008 R2 while keeping the child domain holding the OIM 9.1.0 at Windows 2003 version.
  Is this a working and supported scenario by OIM v9.1.0 ?

  I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
  -Bikash

• OIM Integration with Active Directory Federation Services (ADFS)

  Hello friends
  I have a question about the integration of Oracle Identity Manager with Active Directory which is federated with another external directory for ADFS. My question is:
  What considerations should be to contemplate if I have an active directory federated environment when carrying out the integration with Identity Manager?
  I use version 9.1.0.2 of Oracle Identity Manager with Microsoft Active Directory Connector User Management 9.1.1.7
  Thanks for the support.

  First consideration is that the OIM's target ADFS - in the federated scenario, will that participate as a Service provider or identity provider. I would think identity provider.
  Next consideration: What all attributes are required to be played in the SAML assertion to the other end-point? All these attributes must be present and should be provisioned to the AD in this case.
  So, OIM should be set up (UDF etc) to provision all those attributes needed in the SAML.
  Next consideration: What all scenario to support? IdP initiated or SP initiated? If SP initiated, then process will hv to be defined if a user id does not exist in the AD of the OIM target. Will the request be failed or a in-time provisioning should happen.
  Hope this helps.

• Error running Organization Lookup Recon in OIM 11g R2 with Active Directory

  Hi all,
  I have an implementation of OIM 11g R2, with an Active Directory 11.1.1.5.0 connecting to an instance of Active Directory on Windows Server 2008. I am trying to run the "Active Directory Organization Lookup Reconciliation" scheduled task, but the job fails with this error:
  oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
  This is the full stack trace from the oim_domain.log file:
  oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
  at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:176)
  at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:115)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:382)
  at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
  at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
  at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
  at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
  at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
  at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
  at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
  at sun.reflect.GeneratedMethodAccessor739.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.security.Security.runAs(Security.java:41)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
  at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
  The Connector Server is installed on the AD instance, and the key has been set, and used appropriately in the Active Directory Connector Server IT Resource in OIM.
  Any advice on how to resolve this error or on any possible causes would be much appreciated, thank you.

  From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory
  Refer http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#CHDDJGIG

• OIM 11gR2 user not provisioning to Active Directory (11.1.1.5 connector)

  Hello all,
  I'm trying to set up an OIM 11gR2 instance to work with Active Directory with the Active Directory 11.1.1.5.0 connector. I've full installed both OIM and AD on separate servers, and I've installed the AD 11.1.1.5 connector on OIM. I have configured Active Directory properly (connector on OIM and the connector server on the AD server-side), and have set up the two IT Resources on OIM. I can run, for example, the Active Directory Organization Lookup Recon job and have it return results in the Lookup window.
  My problem is that I cannot get it to provision to a user. I've created an Application Instance and Form for Active Directory, attached the Form, associated them with the appropriate resources (AD User), and added them to the Catalog, and then gone through the process of adding an account to the user, selecting the Application Instance, adding it to the cart, checking out, filling out the fields (Password, User ID, UPN, First Name, Last Name, Common Name, and Organization Name), and then submitting the request. This is all done as the xelsysadm admin user, but it still results with the account stuck on "Provisioning" because the "Create User" task failed due to a Connector Error (the reason stated is just a repeat of "Create Object" failed).
  Anyone know what I'm missing here?
  Thank you!
  Edited by: 939908 on Nov 12, 2012 6:36 AM

  Hey 833249, thanks for your reply
  The organization field attribute is filled in correctly, in that the OU I selected exists in AD.
  These are the errors listed in the connector server log:
  +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception occured during the creation of directory entry.+
  +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Message : Logon failure: unknown user name or bad password.+
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Stack Trace : at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)+
  at System.DirectoryServices.DirectoryEntry.Bind()
  at System.DirectoryServices.DirectoryEntry.get_NativeObject()
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1423
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Unable to get the Directory Entry+
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1456+
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.DirectoryEntryExists(String path) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1512
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 219
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
  at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
  at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
  I'm not sure why the username/password error could be occurring, as those fields in the AD IT Resource are correct (I've run AD recon jobs that have connected properly). Is there something I'm missing?

• ### How to make integration between UCCX and Active Directory##

  Hello,
  I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
  Waiting Yours Reply,,,,
  Thanks a lot......

  What version?
  Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
  CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure.

• Active Directory Connector Questions in 11.1.2.1

  Hello All.  I am new to this version of IDM and I am trying to get through the setup and config.  I just installed a single instance of 11.1.2.1 with OUD, OAM, OIM.  I installed the Active Directory connector for User Management and I believe I have it configured. 
  I followed the post at Weblogic Corner: Oracle Identity Manager: The Active Directory Connector Tutorial and got a lot of questions answered with that.  First, note that I was able to follow the guide and run the lookup recon jobs as well as the user and group recon in trusted mode, then target mode to create all of the users and groups.  I am also able to create a user in OIM, add an account and have that provisioned to AD. 
  Here are my questions if you would be so kind:
  1) When I create a user in AD and I run the user recon(target), the event says "No User Match Found".  I was kind of expecting it to create a new user for me.  I was also expecting to schedule the recon job in target mode and not have to ever switch back to trusted mode after the first full sync.  What did I miss here?
  2) When I add an account to the user in OIM, the AD User form comes up with all the fields empty.  Is that the way it should work?  I was hoping that it would prepopulate some of the stuff from the OIM profile.
  3) When I modify a field in OIM, say middle name, will that sync in the next recon run, or will the admin need to open the account, update the AD form also and submit the middle name in two places?
  Thanks in advance!

  1. Identity gets created in Oracle Identity Manager from an authoritative source. in case of target recon, it will just sync with the matched account in oim.
  please have a look in the below link seccion 12.1.12
  Managing Reconciliation - 11g Release 2 (11.1.2)
  2.u can very well prepopulate filed in the process definition, even u can automate the provisioning process using  role based when provissioning process.
  3.there should be some tasks available for each field. no need run the recon task or modify the account in AD. it will be updated in AD using the tasks. check the connector process definition.

• Different privelege level for Active directory users

  Hi,
  We have integrated Acs 4.1se with windows active directory.now we need to give certain users full privige to some client devices and only show level privilege to some devices.what is the neccessary steps required in ACS and ACS clients.Also how much time the dynamic users will remain in ACSthanks in advance

  Hi,
  If you are using command authorization then privilage doesn't matter.
  Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
  Note : Having priv 15 does not mean that user will able to issue all commands.
  We will set up command authorization on acs to have control on users.
  This is how your config should look,
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization config-commands
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Check out this link
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG

• Recon and provisioning of user-defined object class ICF Active Directory

  I have followed the documentation instructions for reconciliation of a user-defined object class in the ICF Active Directory connector. I am using OIM 11gR2 with the ICF Active Directory 11.1.1.5 connector patched to 11.1.1.5.0A. The procedure states to create the new object class in AD and then change the objectClass value in the Lookup.Configuration.ActiveDirectory lookup. In my case I am using the existing ObjectClass of contact, rather than a new object class. Just for completeness I am using a clone of the AD User Resource Object which I call AD User Contact and so my lookup name is Lookup.Configuration.ActiveDirCon.
  When I changed the ObjectClass from User to Contact, and ran the Active DirCon User Target Recon scheduled job, with Object Type also = contact. The first issue I noticed was that the connector wanted a different set of lookups, which is not in the documentation. It is looking for a lookup in my Configuration lookup where code key=contact Configuration Lookup (which I should have expected since there are code keys for User, Group, and organizationalUnit). I added a line to the lookup where code key=contact Configuration Lookup and the Decode=Lookup.ActiveDirCon.CM.Configuration and then I created a new lookup by that name, assigning the 5 values to be the Lookup.ActiveDirCon.UM.xxx lookups. I did not see any need to create a new set of Lookup.ActiveDirCon.CM.xxx lookups with the exact same values.
  I re-ran the scheduled job and it ran successfully, but did not generate any Recon Events, even though I had objects in the OU and I have that same OU in the Lookup.ActiveDirCon.OrganizationalUnits lookup (from the Org Lookup Recon). Everything looks good but getting no results. Looked at the log file from the ConnectorServer and it is building the query properly and executing it properly with the correct syntax, getting no errors, but the SearchAndReturnObjects method is returning zero results.
  Looking to see if anyone has successfully reconciled in user-defined or other non-User objectClass objects from Active Directory, and if so, can you provide Lookup configuration and Connector Server information so I can troubleshoot.
  I resolved this issue by changing the recon lookups to a blank lookup called Lookup.ActiveDirCon.CM.ReconAttrMap and only added in the parameters that are used by a Contact object. Only populate the ReconAttrMap with parameters that exist for the custom object.
  Edited by: Keith Smith AptecLLC on Mar 27, 2013 6:31 AM

  Oracle Support answered this question via SR

• Problems with OSX ja Active Directory (urgent!)

  Hello, I'm newbie Mac user and I have a problem with integrating OSX to our company MS Active Directory. This MacBook Pro is a only Apple here, so this is quite difficult...
  So far I have made following things:
  - I made "Bind" succesfull (it pings from others computers and I can see it from AD tools)
  - to AD account I changed my profile to include home folder (\\Adserver\user.account$). When I log on to AD via PC, home folders etc. are done with Logon script (Logon.bat) and I can see those shared folder fine.
  - then I rebooted my Mac and on logon screen there is option Other --> there I input my AD username and password. After that OSX log in normally.
  - But on Dock there is no Home folder, there is only a big question mark (?) and it says "User X X network home folder" (or something like that). And there is nothing behind this ?-mark
  - I have checked from Gerberos that I have a valid ticket to AD-server
  I have also tried to map network folder (apple + K), but there will error message that "Server couldn't reach, because user name or password is wrong"
  I have spend a couple of days to solve this problem, but nothing seems to solve it. Could someone please help me? I really need those shared folders (yes, there are at leat two I need from AD), because on those folder are documents that I need daily at my work.
  thanks,
  -zooropa
  MacBook Pro   Mac OS X (10.4.5)  

  My admin username of Mac is "firstnamesurname" and AD account is "firtsname.surname". So the "dot" is only difference. Is that enough?
  I made binding with Mac admin account and after that I used "other" on login screen of OSX. As I wrote, I can login fine with AD username and password, but the problem is that I can't map home folders from Windows Server 2003.

• OIM Active Directory 2008 integration

  Hi All,
  Has anyone integrated (or being in the process of integrating just now) OIM 9.1 with Active Directory on a Windows 2008 Server using the AD 9.1 connector or a custom connector? Any problems or other experiences with such integration?
  The 9.1.1 connector will be cerfified for AD on Windows 2008 but the current connector 9.1 (or 9.1.0.1) is only cerfified for AD on Windows 2003 or 2000.
  Thanks,
  Albin

  I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
  -Bikash

• OIM 11gR2 Active Directory integration issue

  Hi,
  I am trying to install AD connector on OIM 11gR2 and have successfully performed all the necessary and relevant steps according to the deployment guide.
  When i am trying to test the connector though, by running the "Active Directory Organization Lookup Recon" scheduled job i am getting the following error:
  Exception Message oracle.iam.connectors.icfcommon.exceptions.Integration
  Exception: The value for a key [Host] is not defined in the provided map.
  Kindly help me out with this
  Best Regards,
  Varun

  Hi,
  i hope you are using the AD New connector(i.e. ICF based ) and your connector server key is not set properly. Most of the cases this is arises because of connector parameters. So verify the connector parameters and also have you put the AD connector jars on connector server side.
  _Saurabh