LDAP Sync Question

Similar Messages

• Multiple iFolder servers - LDAP sync question

  I'm in the process of expanding out my iFolder system to cover the entire enterprise. As this is about 9,000 users in all I have a question regarding how best to handle the LDAP sync. Since it seems to be configurable per server and not per installation, is it best to have the master server synchronize everything (which seems to kind of hurt it during the scheduled sync) or is it possible (or advisable) to have multiple servers each responsible for synchronizing a chunk of the eDirectory containers? The documentation is a bit sketchy on this aspect.

  It would be good idea to have master sync all context from your LDAP, you could even remove these contexts from the slave server configuration.
  Default sync time is 24 hours, based on the frequency of user addition to your LDAP you could change this.
  >>> MLWeiner<[email protected]> 8/19/2011 11:46 PM >>>
  I'm in the process of expanding out my iFolder system to cover the
  entire enterprise. As this is about 9,000 users in all I have a
  question regarding how best to handle the LDAP sync. Since it seems to
  be configurable per server and not per installation, is it best to have
  the master server synchronize everything (which seems to kind of hurt it
  during the scheduled sync) or is it possible (or advisable) to have
  multiple servers each responsible for synchronizing a chunk of the
  eDirectory containers? The documentation is a bit sketchy on this
  aspect.
  MLWeiner
  MLWeiner's Profile: http://forums.novell.com/member.php?userid=12659
  View this thread: http://forums.novell.com/showthread.php?t=443469

• LDAP design question for multiple sites

  LDAP design question for multiple sites
  I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
  Currently we have 3 sites with different NIS domains.
  Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
  1. 3 LDAP servers + replica for each sites.
  2. Single username and password for every end user cross those 3 sites.
  3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
  So the questions are
  1. Should I need to have 3 domains for LDAP?
  2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
  3. How to make auto map work on LDAP as well as mount local home directory?
  I really appreciate that some LDAP experta can light me up on this project.

  Thanks for your information.
  My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
  So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
  I would like to migrate NIS to LDAP.
  I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
  Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
  On location Y, userA's home directory will mount FilerY:/vol/user/userA.
  So the mount drive is determined by auto_user map in NIS.
  In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
  So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
  But the username and password will be the same on three sites.
  That'd my goal.
  Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
  It would be appreciated if some LDAP guru can give me some guideline at start point.
  Best wishes

• How setup LDAP Sync After Install in OIM 11g  ver, 11.1.1.5.0

  Hi guys, I'm trying to find how to setup LDAP Sync After Install in OIM 11g (ver, 11.1.1.5)....
  I found on Metalink an interesting article "*How to Setup LDAP Sync After Install in OIM 11g [ID 1272682.1]*", but inside there is a Note that says:
  Note: This article is applicable to OIM version 11.1.1.3 only. Steps for 11.1.1.5 are not the same, and product manual has documented steps to setup LDAP sync after install.
  So, that the steps for 11.1.1.5 are not the same, it's clear.....
  and I tried to look for these steps in the manual:
  Oracle® Fusion Middleware Quick Installation Guide for Oracle Identity Management
  11g Release 1 (11.1.1)
  Part Number E10033-06
  but I didn't still find nothing for the specific 11.1.1.5.0 version....only for the 11.1.1.3.0 version
  Can anyone help me to find where these steps are ? I need this information as soon as possible ti start the development
  Thanks in advance for the help
  Alex

  If you are creating Before and After Create Opeation script, you would be able to access all the variables in the process form. Now obvious question, what are the names of these variables? The answer is: the name of the variable is same as that mentioned in the "decode" column of the provisioning attribute map lookup or in other words, the variable name is same as the AD attribute name. In the example mentioned in the documentation, the variable "%givenName% was used in the script. On the similar lines you can use other variables like "sn", "samAccountName", etc.
  Hope the information helps.

• LDAP Sync causes fields in DEV_OIM.SVP to be plain text

  In OAM 11g , there is the OIM console. In there you can create users, organizations, roles, etc... When a user is created in the OIM console in 11g, that user is visible in the OID directory via ODSM.
  If I create a user in OID via ODSM, the reverse in not true. That user is not visible within the OIM console whereas in OAM 10.1.4.3 a user created in OID was visible in the Identity Server.
  I realize there is no "Identity Server" in 11g, but there is OIM which seems to serve a similar purpose (i.e. creation/modificaiton of users, etc).
  We have been told to use LDAP Sync. The problem with LDAP Sync is that when we have executed LDAP Sync steps and have tried to follow the steps outlined in Note: 1272682.1, the fields entered are no longer encrypted -- includes password, url, etc. This then causes an issue with modifying IT resources and the ability to create users in OIM.
  My question is simply if we change or add a user in our OID directory (or AD or other ldap directory), how do we make it visible in OIM? Has anyone had the issue with LDAP Sync not encrypting the values entered? If so, how did you get past this? I believe the steps in Note: 1272682.1 are probably correct but if the values entered during LDAP Sync are not encrypted, then the synchronization will not complete properly and subsequently any users created in OID will not appear in OIM.
  installed components:
  OS: RHEL 5.5 with 64bit Intel
  DBS: 11gR2 (11.2.0.1)
  RCU: 11.1.1.3.3
  IDM: 11.1.1.3
  SOA: 11.1.1.3
  WLS: 10.3.3
  IDAM: 11.1.1.3

  This has been answered in:
  Re: System error occured when trying to edit IT Resource in OIM 11g Console

• OIM LDAP sync default attributes

  Hi,
  i am using LDAP sync to provision user/roles to LDAP (OID).
  I did the experience, that organization cannot be sync'd to ldap using ldap sync.
  Are there a list of all attributes, which will sync between OIM and LDAP (OID)?
  Thanks in advance!

  This bit of XML just tells reconciliation to copy the "o" attribute in LDAP to a user database field usr_ldap_organization. It does not reconcile organizations as such. I hope the below is an accurate summary of handling of LDAP organizations by LDAP sync which will help.
  1) LDAP Synch does not reconcile organization objects into OIM
  2) LDAP Synch does provision organization objects to LDAP (although as pointed out perhaps you can customize something outside LDAP sync using an event handler)
  3) Users reconciled from LDAP to OIM ar eby default placed in one OIM organization based on the the LDAP Sync scheduled job settings, irrespective of their organization in LDAP (although their LDAP organization can be reconciled to an OIM user attribute, perhaps allowing you to do some more work in an event handler)?
  4) Users provisioned from OIM to LDAP use LDAP Container mapping to choose the organisation they are written to in LDAP. This is by default a simple set of attribute based rules, however custom code can be written in a plugin. Not that I found a bug that unfortunately the information that holds an OIM users OIM organization (ACT_KEY) is not made available to this plugin on create.
  As to your further question, you can add other mappings as you require in the MDS files (LDAPUser.xml etc.) to map other attributes, either using supplied utilities to simply add UDFs (as mentioned in a previous post) or for less simple changes by modifying the XML by hand.

• OIM 11g LDAP Sync Features

  Folks,
  I`ve been researching the LDAP sync option in OIM 11g and I have some questions.
  1. Is it true that once enabled, the user does not exist in OIM DB but only in LDAP?
  2. Can we define rules such that only a certain set of users are in LDAP and some are only in OIM?
  3. Can we define rules for Roles that only certain roles in OIM exist in LDAP but not all? I`d like to keep the business roles only in OIM.
  4. I currently have 3 connectors for AD, eDir and OID with OIM 10g and I am researching the option to remove these connectors and use the LDAP sync with OVD. Can this be achieved? What would be the challenges if I were to replace the connectors with LDAP sync?
  Regards,
  AZ

  Well for the connectors in 10g I plan to export them and then import in 11g. The versions are certified.
  For LDAP sync with multiple directories, I've heard of using OVD. So the Directory Server IT Resource would point to OVD and multiple containers in OVD would be mapped to each of the individual directories. OVD adapters would define connection to these directories.
  I have to see if this is feasible keeping in mind the workflows that have been customized in 10g, I don't think every workflow customization can be done in LDAP sync as well. Plus we would lose track of which attributes are provisioned to which LDAP. This is a user-ldap entry mapping, there would be no accounts in resource profile.

• OIM - OID (11g) auto-provision thru ldap sync

  Hi,
  I have configured ldap sync. I have following questions
  1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
  2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
  Please let me know if any one know the solution.

  Hi,
  Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
  Thanks in advance

• Is it possible to have multiple LDAP Sync from OIM 11g?

  I have a requirement to setup LDAP sync to a legacy iPlanet 5.2 LDAP server and that looks pretty straight forward. Now I'm planning to integration OAM with OIM. Our OAM is configured against OVD/AD (multiple domains), so that needs a LDAP sync to be cofigured against OVD/AD. I would like to know if multiple LDAP sync is possible and is a supported config? Experts please help.
  Thanks,
  Sunil.

  Thanks for the reply.
  The below link lists the LDAP's supported:
  http://docs.oracle.com/cd/E21764_01/install.1111/e12002/oidonly.htm#autoId23
  My question specifically is, can I configure multiple LDAP sync's? I already have LDAP sync configured for iPlanet/ODSEE and now I wanted to set LDAP sync to AD to support OIM-OAM integration. Any thoughts?

• [CUC] Convert Subscriber from AXL CCM User to LDAP Sync User

  I want to know if it's supported, and if so, how, to convert from AXL to LDAP when talking about subscribers in Unity Connection.
  I have found this post, which asks the question, but does not actually "convert", as it requires deleting and re-creating.
  https://supportforums.cisco.com/message/4044114#4044114
  I want to know about a true conversion.  As you do when you go from a local CUC subscriber to an LDAP Synced subscriber.
  I have tried using the store procedure: csp_subscribermodify, supplying the following params: pobjectid = the object id, palias = my AD user ID, pldapccmuserid = my AD user ID, pldaptype = 3, pccmid = null, and pccmidtype = 0.
  While the stored procedure looks like it worked, the web page for the subscriber looks a bit odd.  The alias changed, and the ldap sync status changes, but the normally greyed out fields, like alias, are still editible.  Also, none of the other LDAP attributes sync.  So, I'm convinced it didn't actually work.
  What am I missing to make this work?  Thanks.
  PS Jeff, if you see this, I enjoy your training videos.  "Easy Peasy!"
  Anthony Holloway

  Hi Anthony-
  Check out my answer to this thread:
  https://supportforums.cisco.com/message/3963782#3963782
  Please remember to rate helpful responses and identify helpful or correct answers.

• CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive

  BE6K ver 8.6.2
  Client has a user who recently got married.  They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
  Delete Pending
  LDAP Sync Status Inactive
  CUC shows
  LDAP User has been deleted.
  The user still exists in both CUC and CUCM and is actively takign and receiving calls.  User has VM access.
  Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
  Thanks
  Matt

  Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
  Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
  You'll need to associate everything to the new user, and also add that new user into CUC.
  Or switch back her userID to the old one, and just change the surname for directory purposes.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Error while importing : /metadata/iam-features-ldap-sync/LDAPUser.xml

  Hi,
  I am unable to import modified Oracle Identity Manager metadata. I am using OIM 11.1.1.5 on Windows Server 2007 EE.
  I am trying to use the import/export functionality via EM.
  I am able to export the LDAPUser.xml file from */metadata/iam-features-ldap-sync/LDAPUser.xml,* have made changes to it but when I am importing it back I am getting the error :
  Error occurred while executing operation.
  MDS-00001: exception in Metadata Services layer
  MDS-01059: document with the name /metadata/iam-features-ldap-sync/LDAPUser.xml missing in the source metadata store
  The values of the parameters in the import MDS operations are :
  fromLocation : E:/MDS/import/ +(On the physical server hosting the OIM)+
  docs : */metadata/iam-features-ldap-sync/LDAPUser.xml*
  restrictCustTo:               
  excludeAllCust: false
  excludeBaseDocsan : false     
  excludeExtendedMetadata : false
  cancelOnException : true
  I have tried using the command line script as well, It runs without a hitch but when I try and import back, it gives me the same old unedited document.
  Has anyone been successful with this approach ?
  Regards,

  Yes, I have. But still the same issue. It seem to run fine using the weblogicImportmetadata.bat fine but when I export and check the updated file, I still get back the original.
  Here's what I get on runnung the weblogicImportmetadata.bat file
  Initializing WebLogic Scripting Tool (WLST) ...
  Welcome to WebLogic Server Administration Scripting Shell
  Type help() for help on available commands
  Starting import metadata script ....
  Please enter your username :weblogic
  Please enter your password :
  +Please enter your server URL [t3://localhost:7001] :t3://localhost:7001+
  Connecting to t3://localhost:7001 with userid weblogic ...
  Successfully connected to Admin Server 'AdminServer' that belongs to domain 'OIM
  +1'.+
  Warning: An insecure protocol was used to connect to the
  server. To ensure on-the-wire security, the SSL port or
  Admin port should be used instead.
  Location changed to domainRuntime tree. This is a read-only tree with DomainMBea
  n as the root.
  For more help, use help(domainRuntime)
  Disconnected from weblogic server: AdminServer
  End of importing metadata script ...
  Exiting WebLogic Scripting Tool.
  C:\Oracle\Middleware1\Oracle_IDAM\server\bin>
  Edited by: 810367 on Aug 21, 2012 6:45 PM

• Error while exporting metadata file /iam-features-ldap-sync/LDAPUser.xml

  Hi All,
  i am trying to export /iam-features-ldap-sync/LDAPUser.xml metadata file with the weblogic properties mentioned below
  # Weblogic Server Name on which OIM application is running
  wls_servername=oim_server1
  # If you are importing or exporting any out of box event handlers, value is oim.
  # For rest of the out of box metadata, value is OIMMetadata.
  # If you are importing or exporting any custom data, always use application name as OIMMetadata.
  application_name=OIMMetadata
  # Directory location from which XML file should be imported.
  # Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml,
  # I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist
  # in this folder or in its sub folders. Import utility tries to recursively import all the files under the
  # from location folder. This property is only used by weblogicImportMetadata.sh
  metadata_from_loc=@metadata_from_loc
  # Directory location to which XML file should be exported to
  metadata_to_loc=D:/MDS
  # For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.
  # This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts
  metadata_files=/metadata/iam-features-ldap-sync/LDAPUser.xml
  # Application version
  application_version=11.1.1.3.0
  i get the following error
  Initializing WebLogic Scripting Tool (WLST) ...
  Welcome to WebLogic Server Administration Scripting Shell
  Type help() for help on available commands
  Starting export metadata script ....
  Please enter your username [weblogic] :weblogic
  Please enter your password [welcome1] :
  Please enter your server URL [t3://localhost:7001] :t3://hostname:7001
  Connecting to t3://hostname:7001 with userid weblogic ...
  Successfully connected to Admin Server 'AdminServer' that belongs to domain 'OIMDOMAIN'.
  Warning: An insecure protocol was used to connect to the
  server. To ensure on-the-wire security, the SSL port or
  Admin port should be used instead.
  Location changed to domainRuntime tree. This is a read-only tree with DomainMBea
  n as the root.
  For more help, use help(domainRuntime)
  Problem invoking WLST - Traceback (innermost last):
  File "C:\Oracle\Middleware\Oracle_IDM1\server\bin\weblogicExportMetadata.py";,
  line 22, in ?
  File "C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\mdsWLSTCommands.py";, line 134, i
  n exportMetadata
  File "C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\mdsWLSTCommands.py";, line 568, i
  n executeAppRuntimeMBeanOperation
  File "C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\mdsWLSTCommands.py";, line 538, i
  n getMDSAppRuntimeMBean
  UserWarning: MDS-91002: MDS Application runtime MBean for "OIMMetadata" is not available. "exportMetadata" operation failure.
  i have exported these files multiple times, it never gave an errror, but this time i see this error, please help.
  Thanks in advance

  Glad that worked.
  Working with MDS, another way is to use the EM console for exporting/importing data from/to MDS. This I find lot easier rather than working with the OOTB script.
  Steps are:
  http://ADMINSTRATION_SERVER/em
  Navigate to Identity and Access, oim. Right-click and navigate to System MBean Browser.
  Under Application Defined MBeans, navigate to oracle.mds.lcm, Server:oim_server1, Application:oim, MDSAppRuntime.
  To export the configuration files:
  •     Click the Operations tab, and then click exportMetaData.
  •     In the toLocation field, enter /tmp or the name of another directory.
  •     Select createSubDir as false.
  •     In the docs field, enter the complete file location as the Element.
  •     Also select false for excludeAllCust, excludeBaseDocs, and excludeExtendedMetadata. Then, click Invoke.
  This exports the file specified in the docs field to the directory specified in the toLocation field.
  To import the configuration files:
  •     Click importMetaData
  •     In the fromLocation field, enter /tmp or the name of the directory in which you have the configuration files.
  •     Select createSubDir as false.
  •     In the docs field, enter the complete file location as the Element. For example, /db/oim-config.xml.
  •     Also select false for excludeAllCust, excludeBaseDocs, and excludeExtendedMetadata. Then, click Invoke.
  This imports the file specified in the docs field to MDS in the toLocation field.
  HTH

• Role creation in OIM 11.1.1.5.0 fails with LDAP Sync Enabled

  I am in the process of configuring LDAP sync for OIM 11.1.1.5.0 with ODSEE.
  At this time, when I add a user in OIM, I can see that the user gets created in LDAP under the LDAP dn that I supplied when configuring OIM (Configuration process screen name = "LDAP Server Continued", field name = "LDAP User Container")
  However when I try to add a role in OIM, the call fails. OIM server logs have the following exception message:
  <Jul 14, 2011 1:21:52 PM EDT> <Warning> <oracle.iam.callbacks.common> <IAM-2030146> <[CALLBACKMSG] Are applicable policies present for this async eventhandler ? : false>
  <Jul 14, 2011 1:21:53 PM EDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042002> <An error occurred while creating the entity in LDAP, and the corresponding error is - {0}
  javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
  null [Root exception is oracle.ods.virtualization.service.VirtualizationException]
  at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
  at oracle.ods.virtualization.jndi.OVDContext.createSubcontext(OVDContext.java:512)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.createSubcontext(LDAPUtil.java:1045)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.create(LDAPDataProvider.java:487)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:291)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:239)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.create(RoleCreateLDAPHandler.java:128)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.execute(RoleCreateLDAPHandler.java:46)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
  at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:664)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:435)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:381)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:334)
  at oracle.iam.identity.rolemgmt.impl.RoleManagerImpl.create(RoleManagerImpl.java:188)
  at oracle.iam.identity.rolemgmt.api.RoleManagerEJB.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  Any idea whats going on?
  When configuring OIM, I provided a value for the "LDAP Role Container" as "ou=Groups,dc=mycompany,dc=com". The docs shown an example of "cn=groups, dc=mycountry, dc=com" (see http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/oidonly.htm#CDDDIAIC, step 18). Could this difference in container type be causing this problem?
  Any idea where OIM stores this container information if I wanted to test ldap sync with the different roles container?
  Thanks
  Aspi Engineer
  Putnam Investments

  Aspi,
  OIM keeps its ldap config under "$IDM_HOME/server/ldap_config_util" as "ldapconfig.props"
  Thanks,
  Sandeep Gupta

• Error while doing the Ldap sync for UDFs

  Hi All,
  I am doing LDAP sync for UDFs,
  Created users in OID.
  assigned to orclIDXPerson object modified the ldapconfig.props and created the input file.
  Now I am running the ldapsyncudf.sh then I getting the below error.
  Exception in thread "main" java.lang.NullPointerException
  at oracle.ods.virtualization.schema.AttributeTypeDefinition.getOID(AttributeTypeDefinition.java:117)
  at oracle.ods.virtualization.jndi.OVDSchemaContext.convertAttrDefnToJNDIAttrs(OVDSchemaContext.java:655)
  at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:137)
  at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:109)
  at oracle.iam.configservice.impl.LDAPUDFSyncImpl.isAttrExistsInLDAP(LDAPUDFSyncImpl.java:555)
  at oracle.iam.configservice.impl.LDAPUDFSyncImpl.validateOVDSchema(LDAPUDFSyncImpl.java:519)
  at oracle.iam.configservice.impl.LDAPUDFSyncImpl.addUDFwithLDAP(LDAPUDFSyncImpl.java:1082)
  at oracle.iam.configservice.api.LDAPUDFSyncEJB.addUDFwithLDAPx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
  at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy631.addUDFwithLDAPx(Unknown Source)
  can anyone please unblock me.
  Thanks,
  Valli

  Hi,
  Please see if these help (for 11gR2)
  Export the LDAPUser.xml file from MDS using weblogicExportMetatdata.bat. This xml contains the attributes mapping between OIM and OID for LDAP synchronization.
  Include the entry for OIM attribute (if entry does not exist for the attribute in the XML) under entity-attributes node. For e.g. use the following xml snippet to add the entry for ISD Code for Phone attribute
  <entity-attributes><attribute name=”ISD Code for Phone”> <type>string</type> <required>false</required> <attribute-group>Extended </attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
  Include the entry for OID attribute under target-fields node. For e.g. use the following xml snippet to add the entry for CountryCode
  <target-fields><field name=”CountryCode”><type>String</type> <required>false</required> </target-fields>
  Now map the OIM attribute with the OID attribute using the following xml snippet under attribute-maps node
  <attribute-maps><attribute-map> <entity-attribute> ISD Code for Phone </entity-attribute> <target-field>CountryCode</target-field> </attribute-map></attribute-maps>
  Save the changes and import the file back into MDS using WebLogic import utilities.