Lookup.ADReconciliation.GroupLookup
hi,
Lookup.ADReconciliation.GroupLookup displays the lookup like below,
Code Key: <IT_RESOURCE_KEY>~<DISTINGUISHED_NAME>
Decode: <IT_RESOURCE_NAME>~<DISTINGUISHED_NAME>
"<DISTINGUISHED_NAME>" is a big bunch of words concatenated into a single line. I have mapped this lookup in one of the child form for the user to select the group. When the user clicks on the search button difficult to tell which group the user is selecting. The code and decode looks like below example,
Code : 161~CN=Financial Accounting,OU=_US Distribution Lists,OU=_US Groups,OU=Groups,OU=xxxxx,DC=corp,DC=xxxxx,DC=com
Decode: ADITResource~CN=Financial Accounting,OU=_US Distribution Lists,OU=_US Groups,OU=Groups,OU=xxxxx,DC=corp,DC=xxxxx,DC=com
In the search window can i display the CN name(+Financial Accounting+ from the above example) alone instead of everything ?.... kindly help and let me know in case of clarifications.
Thanks
The "strange string" is the DN of the Group. The leftmost part is pointing towards the IT resource that contains this group.
A rather nifty/strange (pick you choice) way to support a multi IT resource.
You can make the original lookup invisible and add an additional more user friendly lookup. Then in your pre pop code you magically switch things around so the process form gets properly populated (I am assuming that this question is about the object/resource form).
If you do need to support multiple domains with their associated multiple IT resources then you do need to put something in front of the group name i.e. ther domain name.
You probably also wants to add some new recon jobs that keeps your new lookup in synch with AD.
Good luck
/Martin
Similar Messages
-
Weird data obtained when running Task: AD Group Lookup Recon
Hi,
Im running the scheduled task named: AD Group Lookup Recon
It works. and populates the lookup named Lookup.ADReconciliation.GroupLookup
but when lookin in the design console, the Code Key and the Decode values have weird data ie:
code key: 2~CN=TelnetClients,CN=Users,DC=adtest,DC=com
Decode: ADITResource~CN=TelnetClients,CN=Users,DC=adtest,DC=com
in the code key there is an extra *2~*
in the Decode is an extra ADITResource~
I may think that it is some kind of coding for connector commands used in provision tasks, when I'm trying to provision an OIM user to Active Directory (in the Organization Lookup field) i get this data
this is just one line:
Value: 2~CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=adtest,DC=com
Description: ADITResource~CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=adtest,DC=com
Any Ideas?
Thank You.yes you are right, code key and decode key is because of the coding in the connector to distinguish lookup values coming from multiple IT resources.
If you want to get rid of this [IT Resource~] you will have to modify the connector.
One more thing looks like the base dn you have specified for lookup reconciliation is DC=adtest,DC=com with generic filter thats why you are getting entries like 2~CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=adtest,DC=com which may not be a group you want
Hope this helps,
Sagar -
I am trying to set up OIM to provision to two different AD domains. I am trying to avoid the process of cloning the entire connector. So for know I just created two IT Resources and duplicated the Lookup.ADReconciliation.GroupLookup and Lookup.ADReconciliation.Organization objects. The Group Lookup is part of the IT Resource and hence didn't cause any problems.
The Organization Lookup is however defined at the form level. I need the list of Organizations to be specific to the AD Domain. I have done the following:
1. Created two IT Resources of type AD Server:
-- AD Server 1
-- AD Server 2
2. Created new lookup called Lookup.AD.OrganizationLookupITResourceMapping with the following values:
-- AD Server 1 == Lookup.ADReconciliaiton.Organization
-- AD Server 2 == Lookup.AD2Reconciliation.Organization
3. I then changed the "Organization Name" column to the following:
Lookup Query == select lkv_decoded, lkv_encoded from lku, lkv where lku.lku_key = lkv.lku_key and lku.lku_type_string_key = (select lkv.lkv_decoded from lku, lkv where lku. lku_type_string_key = 'Lookup.AD.OrganizationLookupITResourceMapping' and lku.lku_key = lkv.lku_key and lkv_encoded = '$Form data.UD_ADUSER_AD$');
Column Names == lkv_decoded
Lookup Column Names == lkv_decoded
Column Captions == Organization Name
Column Widths == 100
When I run the Preview Form I get the error message "Query Failed. Error: Dataset is not open". In the server logs I get "invalid character" exception from SQL. If I use SQL Plus and run this query, substituting for '$Form data.UD_ADUSER_AD$', I get the correct response. My guess is that the form data is not being returned as expected. What should I use here in order to receive the name of the IT Resource?
Thanks,
PeteMore information from the log files:
[2011-02-23T16:30:45.441-05:00] [oim_server1] [ERROR] [] [XELLERATE.DATABASE] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000ItKRa^jC^qQSaauHOq1DPIEM0002nl,0] [APP: oim#11.1.1.3.0] [dcid: dc05021680aa4152:3b03b6fb:12e53163b22:-7ffd-0000000000002d5a] SELECT sdc.sdc_name, sdk.sdk_name from sdc, sdk where sdc.sdk_key=sdk.sdk_key and sdc.sdc_name = 'UD_ADUSER_AD' and sdk.sdk_active_version=sdc.sdc_version and sdk.sdk_key=(SELECT sdk_key FROM TOS WHERE pkg_key = )[[
java.sql.SQLSyntaxErrorException: ORA-00936: missing expression
2011-02-23T16:30:54.309-05:00] [oim_server1] [ERROR] [] [XELLERATE.DATABASE] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000ItKRcjKC^qQSaauHOq1DPIEM0002nw,0] [APP: oim#11.1.1.3.0] [dcid: dc05021680aa4152:3b03b6fb:12e53163b22:-7ffd-0000000000002d65] select lkv_decoded, lkv_encoded from lku, lkv where lku.lku_key = lkv.lku_key and lku.lku_type_string_key = (select lkv.lkv_decoded from lku, lkv where lku. lku_type_string_key = 'Lookup.AD.OrganizationLookupITResourceMapping' and lku.lku_key = lkv.lku_key and lkv_encoded = 'BAD QUERY or BAD FORM DATA'); and 1=2[[
java.sql.SQLSyntaxErrorException: ORA-00911: invalid character
So obviously my query is bad. How do I fix it?
Thanks,
Pete -
OIM-AD connector Issues in OIM 11g
Hi
We are trying to provision user from OIM 11G to AD using Administration Tab of Admin Console.
As part of ADITResource configuration , follwoing fields are included.In the Enterprise manager OIM server log, we are getting the below error message.
Error Message In Enterprise manager OIM server log -
Module OIMCP.ADCS
Thread ID [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'
Message com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : createUser : Wrong Value Specified in Root Context of IT ResourceOr Organization DN_
However, in Admin console Selfservice-->Task-->Provisioning -->Shows error as
Response:Connection Error encountered
Response Description: Error encountered while connecting to target system
We have sucessfully tested the connection using Diagnoistic Dashboard (XIMDD) & Ldap Browser.
IT Resource Details-
Parameter Value
AD Sync installed (yes/no) no
ADAM LockoutThreshold Value 5
ADDisableAttr Lookup Definition Lookup.ADProvisioning.DisableAttrLookup
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Abandoned connection timeout 600
Admin FQDN cn=administrator,cn=Users,dc=example,dc=com
Admin Login administrator
Admin Password ********
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
AtMap Group AtMap.ADGroup
Atmap ADOrg AtMap.ADOrg
Backup Server URL [NONE]
Connection pooling supported false
Connection wait timeout 100
Custom Attribute Name
CustomizedReconQuery
Inactive connection timeout 600
Initial pool size 1
Invert Display Name no
LDAP Connection Timeout 30000
Last Modified Time Stamp 0
Last Modified Time Stamp Group 0
Max pool size 30
Min pool size 2
Native connection pool class definition
OIM User UDF
Pool excluded fields
Pool preference Default
Port Number 389
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
ResourceConnection class definition com.thortech.xl.integration.ActiveDirectory.ADResourceConnectionImpl
Root Context dc=example,dc=com
SSL Port Number 636
Server Address WIN-PEUB23TMMT4.example.com
Target Locale: Country US
Target Locale: Language en
Target Locale: TimeZone GMT
Target supports only one connection false
Timeout check interval 100
UPN Domain example.com
Use Disable Attr false
Use SSL false
Validate connection on borrow true
isADAM no
isUserDeleteLeafNode no
For Organization we have selected ou=Test,dc=example,dc=com in our lookup defination
Please suggest....
ThanksIt's not Key, it's the Scheduled Task attribute "IT Resource Name"
Documentation: http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/using_conn.htm#CHDFBAAC
Here is the documentation on the lookup format: http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/intro.htm#CHDHCCJD
-Kevin -
Hi all,
I get the following error in the server log when trying to provision a user from OIM to AD using the Administration tab of the Admin console:
createUser : Wrong Value Specified in Root Context of IT ResourceOr Organization DN
Any suggestions?
The ITResource information is as follows
ADAM LockoutThreshold Value 5
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Abandoned connection timeout 600
Admin FQDN cn=Administrator,cn=Users,dc=vc,dc=iam
Admin Password *********
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
Atmap ADOrg AtMap.ADOrg
Backup Server URL [NONE]
Connection pooling supported false
Connection wait timeout 60
Inactive connection timeout 600
Initial pool size 1
Invert Display Name no
LDAP Connection Timeout 3000
Max pool size 30
Min pool size 2
Native connection pool class definition
Pool excluded fields
Pool preference Default
Port Number 636
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
ResourceConnection class definition com.thortech.xl.integration.ActiveDirectory.ADResourceConnectionImpl
Root Context dc=vc,dc=iam
Server Address zactn06101.vodacom.corp
Target Locale: TimeZone GMT+02:00
Target supports only one connection false
Timeout check interval 30
UPN Domain vc.iam
Use SSL yes
Validate connection on borrow true
isADAM no
isUserDeleteLeafNode no
The process form information is as follows
AD Server ADITResource
AD Remote Manager ITResource
Password ********
User ID AAGASSI
User Principal Name [email protected]
First Name Andre
Middle Name
Last Name Agassi
Common Name Andre Agassi
Full Name Andre Agassi
Password never expires check box ticked
User must change password at next logon
Organization Name
Account is Locked out
Telephone Number
Account Expiration Date
E Mail
Post Office Box
City
State
Zip
Home Phone
Mobile
Pager
Fax
IP Phone
Title
Department
Company
Manager Name
Office
Country
Street
Terminal Profile Path
Terminal Home Directory
Terminal Allow Login
Redirection Mail IDHi guys.
Thanks for your prompt response. When I try to run the "AD Organization Recon" task, I get the error below. Any suggestions?
2012-05-08T11:22:12.869+02:00] [oim_server1] [NOTIFICATION] [IAM-5010000] [oracle.iam.reconciliation.impl] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JSfZ4m92rI05Vzk3yc1FeDWR000002,0] [APP: oim#11.1.1.3.0] Generic Information: {0}[[
oracle.iam.platform.utils.SuperRuntimeException: oracle.iam.platform.utils.SuperRuntimeException: java.sql.SQLSyntaxErrorException: ORA-00936: missing expression
at oracle.iam.reconciliation.impl.ActionEngine.processEvent(ActionEngine.java:239)
at oracle.iam.reconciliation.impl.BaseEntityTypeHandler.executeBatchPerEvent(BaseEntityTypeHandler.java:305)
at oracle.iam.reconciliation.impl.OrganizationHandler.executeBulkCUD(OrganizationHandler.java:118)
at oracle.iam.reconciliation.impl.BaseEntityTypeHandler.process(BaseEntityTypeHandler.java:42)
at oracle.iam.reconciliation.impl.ActionEngine.processBatch(ActionEngine.java:134)
at oracle.iam.reconciliation.impl.ActionEngine.execute(ActionEngine.java:92)
at oracle.iam.reconciliation.impl.ActionTask.execute(ActionTask.java:72)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy343.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:379)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: oracle.iam.platform.utils.SuperRuntimeException: java.sql.SQLSyntaxErrorException: ORA-00936: missing expression
at oracle.iam.reconciliation.dao.ReconActionDao.executeOrgMatch(ReconActionDao.java:1370)
at oracle.iam.reconciliation.impl.OrganizationHandler.executeSingleEventMatch(OrganizationHandler.java:34)
at oracle.iam.reconciliation.impl.EntityTypeHandler.process(EntityTypeHandler.java:38)
at oracle.iam.reconciliation.impl.ActionEngine.processEvent(ActionEngine.java:209)
... 34 more
Caused by: java.sql.SQLSyntaxErrorException: ORA-00936: missing expression
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:457)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:889)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:476)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:204)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:540)
at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:202)
at oracle.jdbc.driver.T4CStatement.executeForRows(T4CStatement.java:1074)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1466)
at oracle.jdbc.driver.OracleStatement.executeInternal(OracleStatement.java:2224)
at oracle.jdbc.driver.OracleStatement.execute(OracleStatement.java:2168)
at oracle.jdbc.driver.OracleStatementWrapper.execute(OracleStatementWrapper.java:333)
at weblogic.jdbc.wrapper.Statement.execute(Statement.java:466)
at oracle.iam.reconciliation.dao.ReconActionDao.executeOrgMatch(ReconActionDao.java:1351)
... 37 more -
Error while trying to provision OIM user to Active Directory using SSL
Hi All,
I am able to see the users through LDAP browser using SSL but am getting the following error while trying to provision OIM users to AD using SSL.
I am using Microsoft Active Directory connector type 9.11.
Response: Connection Error encountered
Response Description: Error encountered while connecting to target system
I did some testing using "Diagnostic Dashboard" and the following are the results.
Test Name: Target System SSL Trust Verification: Passed
Test Name: Test Basic Connectivity: Failed
Exceptions:
ITResource information values are not correct. Enter the correct values.
java.lang.reflect.InvocationTargetException
javax.naming.CommunicationException: simple bind failed:
unable to find valid certification path to requested target.Test Name: Test Provisioning:Failed
Note: Without SLL all the above tests got Passed.
Can anybody help me out from this issue.
Thanks in advance.
Pradeep Kumar.I am able to connect to AD using 636 port number from LDAP browser and as the following test got Passed i think that my certificatee should be correct.
Test Name: Target System SSL Trust Verification.
Input Parameters
Target System: idm.orademo.com
Port: 636 Certificate Store
Location: /usr/java/jdk1.6.0_14/jre/lib/security/cacerts
Result : Passed
ITResource Values:
ADAM LockoutThreshold Value
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Admin FQDN cn=Administrator,cn=Users,dc=orademo,dc=com
Admin Password *******
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
Invert Display Name no
Port Number 636
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
Root Context dc=orademo,dc=com
Server Address idm.orademo.com
Target Locale: TimeZone GMT
UPN Domain orademo.com
Use SSL yes
isADAM no
isLookupDN no
isUserDeleteLeafNode no
Thansk & Regards,
Pradeep Kumar. -
Problems while provisioning OIM user to AD
Hello,
My OIM version is 9.1.0.1 & AD version is 9.1.1.4
I want to provision OIM user to AD,so before provisioning i ran AD Group Lookup Recon &
AD Organization Lookup Recon .
When i tried to provision AD User to OIM user ,status=provisioning where System Validation was
completed & create user was rejected & there was no response description.
Following is the error which i got on console : java.lang.reflect.InvocationTargetException
Thanks & Regards
Rahul ShahIT Resource Parameters :
ADAM LockoutThreshold Value 5
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Admin FQDN CN=Administrator,CN=Users,DC=proservdemo,DC=com
Admin Password *******
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
Invert Display Name no
Port Number 389
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
Root Context DC=proservdemo,DC=com
Server Address IP Address
Target Locale: TimeZone GMT
UPN Domain proservdemo.com
Use SSL no
isADAM no
isUserDeleteLeafNode no
& here is the exception which i see on console :
Running GETINVERTDISPLAYNAMEVALUE
Target Class = java.lang.String
Running CONCATFIRSTANDLAST
Target Class = com.thortech.xl.util.adapters.tcUtilStringOperations
Running GETINVERTDISPLAYNAMEVALUE
Target Class = java.lang.String
Running CONCATFIRSTANDLAST
Target Class = com.thortech.xl.util.adapters.tcUtilStringOperations
Running CONCATDOMAIN
Target Class = com.thortech.xl.util.adapters.tcUtilStringOperations
Running CONCATUSERLOGINWITHDOMAIN
Target Class = com.thortech.xl.util.adapters.tcUtilStringOperations
MessageDateFieldBean, localName='messageDateField': oracle.cabo.image: Initializ
ing image cache: D:\Oracle\OIM\xellerate\OIMApplications\WLXellerateFull.ear\xlW
ebApp.war\cabo\images\cache\ ...
MessageDateFieldBean, localName='messageDateField': oracle.cabo.image: Loading i
mage 0 of 3 from image cache: D:\Oracle\OIM\xellerate\OIMApplications\WLXellerat
eFull.ear\xlWebApp.war\cabo\images\cache\
MessageDateFieldBean, localName='messageDateField': oracle.cabo.image: Finished
initializing image cache: D:\Oracle\OIM\xellerate\OIMApplications\WLXellerateFul
l.ear\xlWebApp.war\cabo\images\cache\
Running ISADAM
Target Class = java.lang.String
Running Get Attribute Map
Running AD Create User
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.ADCREATEUSER(adpADCSCREATEUSER.java:224)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.implementation(adpADCSCREATEUSER.java:91)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(UnknownSource)
at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(Unknown Source)
at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(Unknown Source)
at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.setProcessFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1245)
at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
at $Proxy68.setProcessFormData(Unknown Source)
at com.thortech.xl.webclient.actions.DirectProvisionUserAction.handleVerifyProcessData(Unknown Source)
at com.thortech.xl.webclient.actions.DirectProvisionUserAction.goNext(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: java.lang.NullPointerException
at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.createUser(Unknown Source)
... 68 more
com.thortech.xl.dataobj.util.tcAdapterTaskException
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.ADCREATEUSER(adpADCSCREATEUSER.java:230)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.implementation(adpADCSCREATEUSER.java:91)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(UnknownSource)
at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(Unknown Source)
at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(Unknown Source)
at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.setProcessFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1245)
at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
at $Proxy68.setProcessFormData(Unknown Source)
at com.thortech.xl.webclient.actions.DirectProvisionUserAction.handleVerifyProcessData(Unknown Source)
at com.thortech.xl.webclient.actions.DirectProvisionUserAction.goNext(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
& is AD version 9.1.1.4 compatible with OIM 9.1.0.1
Thanks & regards
Rahul Shah -
Provisioning: Users from OIM to Active Directory
Dear Experts!
I am trying to setup provisionig from OIM to AD. I just want to provision Users from OIM to AD.
I am going through this documentation/tutorial:
http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/deploy.htm#insertedID0
i also read this:
http://www.oracle.com/technology/obe/fusion_middleware/im1014/oim/ad_provision/prov2ad.htm
But it just won't work. The provisioned resource get's always status rejected in the (To-Do List --> Open Tasks).
Then i tried to test the connection to AD using this documentation:
http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/testing.htm
And i get this error in the console:
http://img689.imageshack.us/img689/3190/errorq.png
The IT resource: ADITResource looks like this:
Remote Manager Prov Script Path:
Admin FQDN: [email protected]
Use SSL: no
Remote Manager Prov Lookup: AtMap.AD.RemoteScriptlookUp
Target Locale TimeZone: GMT
Port Number: +636+
AtMap ADUser: AtMap.AD
ADGroup LookUp Definition: Lookup.ADReconciliation.GroupLookup
isUserDeleteLeafNode: no
Allow Password Provisioning: no
UPN Domain: domain-test.local
AtMap ADGroup: AtMap.ADGroup
ADAM LockoutThreshold Value: +5+
isADAM: no
Admin Password: *********
Invert Display Name: no
Root Context: dc=domain-test,dc=local
Server Address: testing-server.domain-test.local
Could be the problem that i don't use SSL? I don't set Passwords in AD, i have read that then i don't need SSL...?
I am new to OIM, so your response is greatly appreciated!
Thank you very much in advance!Hello again Raj!
Thank you for your answer. You have always good ideas...
*1) Whats the response that you are getting from AD for this operation. Check this as following:*
Go to Users->UserABC->(Resource Profile from Drop down)->(Click your particular resource instance)->(Select the rejected task precisely "Create User")_
I get this on the Task Name - Create User:
Status:Rejected
Response: Please Select the Organization or Container Name from Organization Name Lookup
Response Description: Please Select the Organization or Container Name from Organization Name Lookup
But i can't get to populate the Organization Name on the user form, because there are no values available.
Under Error Details there is nothing.
*2) If your IT resource parameters are incorrect, you will get a connection error in logs. Your port information is correct, it has to be Port->389 and Use SSL-no*
I have created a new IT resource without SSL. Just to test the connection to AD. It works because I get “Successfully established connection to the AD_Test_without_SSL.”
Bellow is my NEW configuration for the IT Resource.
IT Resource Name:* AD_Test_without_SSL
IT Resource Type:* AD Server
ADAM LockoutThreshold Value:* 5
ADGroup LookUp Definition:* Lookup.ADReconciliation.GroupLookup
Admin FQDN:* [email protected]
Admin Password:* *********
Allow Password Provisioning:* no
AtMap ADGroup:* AtMap.ADGroup
AtMap ADUser:* AtMap.AD
Invert Display Name:* no
isADAM:* no
isUserDeleteLeafNode:* no
Port Number:* 389
Remote Manager Prov Lookup:* AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path:*
Root Context:* dc=domain-test,dc=local
Server Address:* testing-server.domain-test.local
Target Locale TimeZone:* GMT
UPN Domain:* domain-test.local
Use SSL:* no -
OIM AD Connector (AD 9.1.1.4) Error
Hi experts,
We are configuring the connector MS AD 9.1.1.4 for OIM 9.1.0.2 BP07 on WebLogic 10.3.0. BD 10g (10.2.0.4). MS AD 2003.
But when we try to execute the AD Group Recon Lookup, the following error happens :
This are the values that we are providing in the Scheduled Task.
AttrName for Code Value in Lookup distinguishedName
AttrName for Decode Value in Lookup distinguishedName
Configuration Lookup Lookup.AD.Configuration
IT Resource Name ADITResource
Lookup Code Name Lookup.ADReconciliation.GroupLookup
Lookup Search Filter (objectclass=group)
Recon Type Refresh
Search Base ou=OIM,ou=Applications,dc=redecorp,dc=br
DEBUG LOG
INFO,19 May 2010 11:47:27,711,[XELLERATE.PERFORMANCE],API Call: com.thortech.xl.ejb.beansimpl.tcITResourceInstanceOperationsBean/getITResourceInstanceParameters 41
DEBUG,19 May 2010 11:47:27,712,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize:: FINISHED
DEBUG,19 May 2010 11:47:27,789,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : addSecurityProvider:: STARTED
DEBUG,19 May 2010 11:47:27,789,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : addSecurityProvider:: FINISHED
DEBUG,19 May 2010 11:47:27,789,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : initialize:: FINISHED
DEBUG,19 May 2010 11:47:27,790,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : toString:: STARTED
DEBUG,19 May 2010 11:47:27,790,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : toString:: FINISHED
DEBUG,19 May 2010 11:47:27,790,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : execute : IT resource params are:
Admin FQDN : cn=oracle_idm,ou=Users,ou=OIM,ou=Applications,dc=redecorp,dc=br
Root Context : ou=OIM,ou=Applications,dc=redecorp,dc=br
SSL Port Number : 389
Server Address : 172.23.190.26
Use SSL : false
DEBUG,19 May 2010 11:47:27,791,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : toString:: STARTED
DEBUG,19 May 2010 11:47:27,791,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : toString:: FINISHED
DEBUG,19 May 2010 11:47:27,791,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : execute : Task attributes params are: Server: ADITResource
LookupCodeName: Lookup.ADReconciliation.GroupLookup
FilterLookupRecon: (objectclass=group)
AttrNameDecodeValueLookup: distinguishedName
AttrNameCodeValueLookup: distinguishedName
UserSearchScope: ou=OIM,ou=Applications,dc=redecorp,dc=br
INFO,19 May 2010 11:47:27,792,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : execute : Start of Active Directory Lookup Reconciliation.
DEBUG,19 May 2010 11:47:27,793,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation:: STARTED
DEBUG,19 May 2010 11:47:27,793,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation : query : (objectclass=group)
DEBUG,19 May 2010 11:47:27,801,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : searchResultPageEnum:: STARTED
DEBUG,19 May 2010 11:47:27,806,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : connectToAvailableAD:: STARTED
DEBUG,19 May 2010 11:47:27,810,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext:: STARTED
ERROR,19 May 2010 11:47:27,815,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,815,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext : null
ERROR,19 May 2010 11:47:27,815,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,822,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],Description : null
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],java.lang.NullPointerException
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:178)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],================= End Stack Trace =======================
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : searchResultPageEnum : null
ERROR,19 May 2010 11:47:27,823,[OIMCP.ADCS],====================================================
DEBUG,19 May 2010 11:47:27,824,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: STARTED
DEBUG,19 May 2010 11:47:27,825,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: FINISHED
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : searchResultPageEnum : The error occured in tcADUtilLDAPController::connectToAvailableAD():null
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : searchResultPageEnum : null
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : searchResultPageEnum
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],Description : null
ERROR,19 May 2010 11:47:27,825,[OIMCP.ADCS],com.thortech.xl.exception.ConnectionException
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:178)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],================= End Stack Trace =======================
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation : null
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],====================================================
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],Description : null
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],com.thortech.xl.exception.ConnectionException
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:178)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)
ERROR,19 May 2010 11:47:27,826,[OIMCP.ADCS],================= End Stack Trace =======================
DEBUG,19 May 2010 11:47:27,826,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation:: FINISHED
INFO,19 May 2010 11:47:27,826,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : execute : End of Active Directory Lookup Reconciliation.
DEBUG,19 May 2010 11:47:27,826,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADLookupReconTask : execute:: FINISHED
DEBUG,19 May 2010 11:47:27,826,[XELLERATE.SCHEDULER.TASK],Class/Method: SchedulerBaseTask/run left.
DEBUG,19 May 2010 11:47:27,826,[XELLERATE.SCHEDULER.TASK],Class/Method: SchedulerBaseTask/isSuccess entered.
DEBUG,19 May 2010 11:47:27,826,[XELLERATE.SCHEDULER.TASK],Class/Method: SchedulerBaseTask/isSuccess left.
Thanks for any help you can provide.
RegardsHi! Can you tell me wich values have been used in the resource it, for provisioning ad.
How can i see this parameters in the log?
Thanks again
Maxi -
Spawning multiple approval tasks in parallel in OIM11g SOA Composite
Hi,
We are trying to implement the following scenario.
1) We are trying to develop a SOA composite for AD Group Access
2) The request dataset contains a child table for AD User Group Details which is as follows.
<AttributeReference name="AD User Group Details" attr-ref="UD_ADUSRC" type="String" length="20" widget="text" available-in-bulk="true">
<AttributeReference name="Group Name" attr-ref="Group Name" type="String" length="400" widget="lookup" available-in-bulk="true" lookup-code="Lookup.ADReconciliation.GroupLookup" primary="true"/>
</AttributeReference>
3) Consider the user is already provisioned to AD.
4) User now tries to request for AD Group Access by using a request template
5) The request dataSet for the resource "AD Group Access" will be displayed where the user would "Add" the group(s) to which (s)he want access.
6) Once the request is sumbitted the associated SOA composite would be executed.
7) Now, in the SOA composite the logic should be as follows:
a. For each group selected, there is a corresponding dataApprover who should approve the request.
b. Once the dataApprover approves the request it goes to the next approver who is securityApprover.
c. Once the securityApprover approves the request, the request should go thru and the user should get the membership in the AD Group.
d. Since "AD User Group Details" is a child form in the request dataset, the user can add multiple groups in the same request.
e. If there are muliple groups selected in the same request, then the same request should spawn parallel approval tasks for all corresponding dataApprovers and securityApprovers.
f. Then the user should get membership to those AD Groups for which the corresponding dataApprover and securityApprover had approved the request.
e. If a dataApprover or securityApprover rejects the request then the user shouldn't get membership to the respective group. However, this shouldn't prevent the user from getting membership to other groups for which dataApprover-securityApprover approval was done.
The dataApprover and securityApprover for the groups are stored in a db table mapping to the corresponding group name.
We have implemented a SOA composite for which the logic is fine if we add only one group in the child table of request dataset. As per the current implementation, when a user submits the request, the dataApprover and securityApprover for the selected group are fetched from the table and the global variables in SOA composite are set with the ID of dataApprover and securityApprove using setVariableData. These are sting variables. These variables are used in the approval task. The approval task has two "Single Type" participants - dataApprover and securityApprover. These participants fetch the value of dataOwner and securityOwner from the global variables set using setVariableData.
Now, as mentioned above, if mutiple groups are added like group1, group 2 etc. then there should be multiple approval tasks spawned in parallel that will be approved/rejected by dataApprover1-securityApprover1, dataApprover2-securityApprover2 etc. Depending on the output (approve/reject) the user should get membership to appropriate groups.
Any inputs on how to modify the current composite to spawn multiple approval tasks in parallel depending on the number of groups added from the requestDataSet would be helpful.
Regards,
SwaroopSingle request id then you are bit safe. The way to do it would be:
1. Set the dataApprovers as a comma separated list of all the data approvers for all the groups.
2. Set the securityApprovers as a command separated list of all the security approvers for all the groups.
3. In Human Task assign the first stage to all the dataApprovers and second stage to securityApprovers.
Cons of this approach are:
1. All the approvers would see all the data and they might be confused what they are approving.
2. securityAppprovers for say group1 won't get the item untill all the dataApprovers approve the request even though dataApprover has approved the request for group1.
3. Would be hard to implement the rejection cases; depending upon how you want to handle the rejections. For e.g. what if any dataApprover rejects the request? Should the whole request be rejected? If so what would happen to those which have already been approved by dataApprovers? Same case goes for securityApprovers. Again since you cannot modify the requested data once the request is submitted; thus you cannot remove the rejected groups from the request.
4. You provisioning won't trigger untill all dataApprovers and all securityApprovers have approved the request.
5. Any one approve from comma separated list of approvers would approve the request. Thus you cannot make sure that all the approvers should approve the request. The workaround would be to create parallel stages in human task and assign one group/approver to one parallel stage. This would mean that you will have to hard code the number of parallel approvals which can be generated in your BPEL human task (This would again depend upon the number of groups requested). To workaround this you could use BPEL extenal routing program where you can pragmatically assign tasks but again since there is no entitlement based request engine in OIM, thus there would be issues there too.
As a workaround, make sure that you allow only one group to be requested per request and reject the request outright if multiple groups are requested in a single request. You will need to buy in the business on this one.
Have heard the grapevine that 12G which is in the pipeline would have entitlement based request engine and also would allow for modification of request data once the request is submitted.
HTH,
BB -
AD Connector Remote Manager Question
all,
trying to install MSFT AD BASE 91170 connector on OIM/OAM 11.1.1.3 environment. Finished the following steps thus far:
1. created OIM/OAM/AD server environments
2. Created OIMGroup and admin user account association
3. Imported the connector
4. Update ADITResource
5. Copied ldapbp.jar and ran uploadjars.sh script
6. Updated search base in Group Lookup Recon and Organization Lookup Recon jobs
7. I was able to provision a user
I have two questions:
1. section 2.2.2.1 (on page 2-14 connector indicates that i need to run installation of remote manager on the AD server). Is this step and the subsequent steps required to be configured. What else do i need to run as part of installation. If the rest of the steps are optional in what cases do they need to be created?
2. My design console Lookup.ADReconciliation.GroupLookup does not have any values, it appears recon did not work in this case. What could i be doing wrong, i can add configuration details if needed. - I have done this before but not sure what i missed this time.
Thanks in advance,
Prasad.
Edited by: Prasad on Oct 25, 2011 11:48 AMSagar,
I ran the group lookup recon task several times yesterday. OIM did not populate the lookup. Today i change the recon type from Refresh to Update and changed it back to Refresh and it worked with few exceptions like the one below:
Overall now the records are there, but it is unclear why the original task executions did not pull anything. I did not see any other exception either yesterday.
<Insert failed.><Oct 26, 2011 10:56:27 AM EDT> <Error> <OIMCP.ADCS> <BEA-000000> <Description : Insert failed.>
<Oct 26, 2011 10:56:27 AM EDT> <Error> <OIMCP.ADCS> <BEA-000000> <Thor.API.Exceptions.tcAPIException: Insert failed.
at com.thortech.xl.ejb.beansimpl.tcLookupOperationsBean.addLookupValue(tcLookupOperationsBean.java:1357)
at Thor.API.Operations.tcLookupOperationsIntfEJB.addLookupValuex(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1896.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethod -
ERROR: Provision a resource ADITResource
HI,
When i try to provision a resource ADITResource to a user in OIM,in the details it is showing as provisiong and not provisioned,
The error i'm getting is as follows:
Task Name - Create User Resource Name:AD User User: Jorge Parra
Status: Rejected
Response: AD Connection Error
Response Description: Error encountered while connecting to target system
Notes:
The error in JBoss is as follows:
2009-01-29 11:25:47,465 ERROR [OIMCP.ADCS] The error occured in tcADUtilLDAPController::connectToAvailableAD():simple bind failed: 162.168.1.18:636
2009-01-29 11:25:47,481 DEBUG [OIMCP.ADCS] tcADUtilLDAPController::connectToAvailableAD() Exit
2009-01-29 11:25:47,481 DEBUG [OIMCP.ADCS] tcADUtilLDAPController::connectToAvailableNextAD() Enter
2009-01-29 11:25:47,528 ERROR [OIMCP.ADCS] The error occured in tcADUtilLDAPController::connectToAvailableNextAD():Connection Error OccurCould not establish connection with target system
2009-01-29 11:25:47,543 ERROR [OIMCP.ADCS] Could not establish connection with target system:Connection Error Occur
2009-01-29 11:25:47,559 DEBUG [OIMCP.ADCS] tcADUtilLDAPController::disconnect() Enter
2009-01-29 11:25:47,559 DEBUG [OIMCP.ADCS] tcADUtilLDAPController::disconnect() Exit
2009-01-29 11:25:47,559 DEBUG [OIMCP.ADCS] tcUtilADTasks::createUser() Exit
Additional Information
i created an ITResource(ADITResource) also witn the following fields
isLookupDN no
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
ADPWSYNC ADFlag
ADPWSYNC OIMFlag
ADPWSYNC Installed no
ADAM LockoutThreshold Value 5
Invert Display Name no
Server Address 162.168.1.18
Root Context dc=ad,dc=com
Admin FQDN cn=Administrator,cn=Users,dc=ad,dc=com
Admin Password *************
Use SSL yes
Port Number 636
AtMap ADUser AtMap.AD
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
isUserDeleteLeafNode no
isADAM no
Please help me to resolve this issue.
Thanks,
JLK.
Edited by: JLK on Jan 29, 2009 12:10 PMAre you referring to creating an resource object (e.g. group) on the Organization itself (as opposed to users in that Organization) ? If so this can be done from a post-process event handler on the Organization object.
-
Request OID group access in OIM
Hi All,
I have OIM (11.1.1.5.2) and the OID Connector (9.0.4.14) installed. Is it possible for a user to request access to a specific group in OID using the OIM Self Service Console?
Regards,
user10233157Yes, This is possible. You need to create request dataset with Group details and import it to MDS.
Sample Dataset for AD Resource is
*<?xml version="1.0" encoding="UTF-8"?>*
*<request-data-set xmlns="http://www.oracle.com/schema/oim/request" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/request" name="ModifyResourceAD User" entity="AD User" operation="MODIFYRESOURCE">*
*<AttributeReference name="City" attr-ref="City" available-in-bulk="true" type="String" length="20" widget="text"/>*
*<AttributeReference name="Pager" attr-ref="Pager" available-in-bulk="true" type="String" length="20" widget="text"/>*
*<AttributeReference name="Group" attr-ref="UD_ADUSRC" available-in-bulk="true" type="String" length="500" widget="text">*
*<AttributeReference name="Group Name" attr-ref="Group Name" available-in-bulk="true" type="String" length="500" widget="lookup" lookup-code="Lookup.ADReconciliation.GroupLookup" entitlement="true">*
*</AttributeReference>*
*</AttributeReference>*
*</request-data-set>*
Then in OIM Self Service console select Self Modify Provisioned Resource request type and you will see the OID Groups in the list of available groups to request. -
Please comment, below configuration are correct in OIM recon tasks (need help)
All
I am giving below recon configuration, could you please check and let me know is this configured correctly on system
AD Group Lookup Recon
AttrName for Code Value in Lookup
distinguishedName
AttrName for Decode Value in Lookup
cn
IT Resource Name
ADITResource
Lookup Code Name
Lookup.ADReconciliation.GroupLookup
Lookup Search Filter
(objectclass=group)
Recon Type
Update
Search Base
OU=Groups,OU=1199_Funds,DC=1199nbf,DC=net
AD Organization Lookup Recon
AttrName for Code Value in Lookup
distinguishedName
AttrName for Decode Value in Lookup
distinguishedName
IT Resource Name
ADITResource
Lookup Code Name
Lookup.ADReconciliation.Organization
Lookup Search Filter
(employeeid='1119697')
Recon Type
Refresh
Search Base
rebeccaHi,
Its very difficult to understand your requirement. Request you to kindly post some sample data.
you try this..
select sum(qty_serv),sum(QTY_POS)
from prt_cal r1 where
where substr(filename,28,1)='1'
union
select sum(qty_serv),sum(QTY_POS)
from prt_cal r1 where
substr(filename,28,1)='2'
and TRDATE > (select max(TRDATE)from prt_cal r2 where substr(filename,28,1)='1'
group by TO_CHAR(TO_DATE(TRDATE,'DD/MM/YYYY HH24:MI:SS'),'DD/MM/YYYY'))
end)Also you have not mentioned whats the primary key in your table,
Regards,
Achyut -
Issues Running Target Recons againt ADAM
Hello,
I'm facing the following issue when running target recons for ADAM.....the first time I run everything works fine it links up the AD User account to the OIM user.....the secod time I run I get the followin error in the logs:
ERROR,25 Jan 2010 11:48:52,136,[XELLERATE.APIS],Class/Method: tcReconciliationOperationsBean/ignoreEventAttributeDataData encounter some problems: Child Table mapping Not Found
java.lang.Exception: Child Table mapping Not Found
at com.thortech.xl.dataobj.util.tcReconciliationUtil.areAccountsIdentical(Unknown Source)
at com.thortech.xl.dataobj.util.tcReconciliationUtil.ignoreEventAttributeData(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.ignoreEventAttributeDataData(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.ignoreEventAttributeData(Unknown Source)
at com.thortech.xl.ejb.beans.tcReconciliationOperationsSession.ignoreEventAttributeData(Unknown Source)
at com.thortech.xl.ejb.beans.tcReconciliationOperations_gmh3ba_EOImpl.ignoreEventAttributeData(tcReconciliationOperations_gmh3ba_EOImpl.java:1447)
at Thor.API.Operations.tcReconciliationOperationsClient.ignoreEventAttributeData(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
at $Proxy73.ignoreEventAttributeData(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.processUserChange(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.processBatch(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:178)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)
Has anyone seen this error before?
Thanks in advance for your help!Hey Martin,
I believe I have the isADAM flag set correctly in the resource def:
AtMap ADGroup: AtMap.ADAMGroup
Remote Manager Prov Lookup: AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path:
ADAM LockoutThreshold Value: 5
Invert Display Name: no
Server Address: somehost
Root Context: DC=somedomain
Admin FQDN: cn=idmadminuser,ou=application users, DC=somedoman
Admin Password: ************
Use SSL: yes
Port Number: 636
AtMap ADUser: AtMap.ADAM
ADGroup LookUp Definition: Lookup.ADReconciliation.GroupLookup
isUserDeleteLeafNode: no
isADAM: yes
Target Locale: TimeZone: GMT
Allow Password Provisioning: yes
UPN Domain: somedomain.com
Maybe you are looking for
-
Offline Adobe Cloud downloadable validation software?
I have a laptop and a desktop, and I dont have internet access at home. I know Adobe Cloud is a monthly subscription allows you to use it every 30 days with no internet connection. The way The Foundry does it, is a yearly plan, and when its time for
-
I loaded mozilla 6 on my hp laptop and it was working fine for a few weeks, but now it will not launch at all wheather I clip on the icon or type in the site. there is no message or warning, it just does not start up. I am a long time firefox user.
-
Recently I totalled my old Macbook Pro with a glass of red wine. Fortunately, whilst the guys at the mac store said that almost every component was totally screwed - the HD seemed okay. On their advice I purchased an enclosure, carefully removed and
-
PDF fine in Preview of Designer..have issue when seen in the deployed application
hello all, I am using LiveCycle Designer ES 8.2 to design xdps. I have a problem when my web app is deployed.The pdf is not genereated as the way it is shown in the Preview of LiveCycle Designer. I am facing the followng problems: (1) When the data o
-
Upgrade this 2005 PowerBook or fork out for MacBook?
This is a refinement of an earlier Q. My problems/desires are: 1. I'm fed up with being unable to avail myself of stuff that needs Tiger/Leopard. 2. My 80GB internal HD is constantly filling up. 3. I have no webcam and need (a good) one for work. 4.