OIM 11.1.1.3 - Active Directory ADGroup question

All,
I have used MSFT_AD_Base_9.1.1.7.0 to install active directory connector and synchronized (provision and reconciliation) oim users with the AD. I can't seem to find documentation on how to sync oim roles with with AD groups. Can you provide me some pointers for this. the deployment documetnation (MS_ActiveDirectory_Guide.pdf) indicates that i cannot run ADGroupRecon if i am on 11.1.1... version (bug Bug 9799541).
It also appears that a resource cannot be assigned at the role level in oim 11.1.1. is there something missing from our environment, i was able to add AD User reosource to user profiles.
Basically i cannot provision or recon group at this time.
any help with this is much appreciated. Please let me know if you need additional information.
Best Regards,
Prasad.
Edited by: Prasad on Aug 5, 2011 6:12 AM

I don't believe there has ever been code to create OIM Groups based on AD Groups and then add the OIM Users to those groups accordingly. You would need to create a custom scheduled task that creates for a group for every entry in the lookup for the AD Groups. Then you would also need to read every user's child table entry for their AD Groups and adds the user to each one of those groups. You could also have code the runs on every Add User to Group event, that adds the user to the OIM group as well as in AD. And you can do the same for removal.
There are lots of options, but this is not part of the OOTB Connector. This would be your own customization.
-Kevin

Similar Messages

  • Active Directory Connector Questions in 11.1.2.1

    Hello All.  I am new to this version of IDM and I am trying to get through the setup and config.  I just installed a single instance of 11.1.2.1 with OUD, OAM, OIM.  I installed the Active Directory connector for User Management and I believe I have it configured. 
    I followed the post at Weblogic Corner: Oracle Identity Manager: The Active Directory Connector Tutorial and got a lot of questions answered with that.  First, note that I was able to follow the guide and run the lookup recon jobs as well as the user and group recon in trusted mode, then target mode to create all of the users and groups.  I am also able to create a user in OIM, add an account and have that provisioned to AD. 
    Here are my questions if you would be so kind:
    1) When I create a user in AD and I run the user recon(target), the event says "No User Match Found".  I was kind of expecting it to create a new user for me.  I was also expecting to schedule the recon job in target mode and not have to ever switch back to trusted mode after the first full sync.  What did I miss here?
    2) When I add an account to the user in OIM, the AD User form comes up with all the fields empty.  Is that the way it should work?  I was hoping that it would prepopulate some of the stuff from the OIM profile.
    3) When I modify a field in OIM, say middle name, will that sync in the next recon run, or will the admin need to open the account, update the AD form also and submit the middle name in two places?
    Thanks in advance!

    1. Identity gets created in Oracle Identity Manager from an authoritative source. in case of target recon, it will just sync with the matched account in oim.
    please have a look in the below link seccion 12.1.12
    Managing Reconciliation - 11g Release 2 (11.1.2)
    2.u can very well prepopulate filed in the process definition, even u can automate the provisioning process using  role based when provissioning process.
    3.there should be some tasks available for each field. no need run the recon task or modify the account in AD. it will be updated in AD using the tasks. check the connector process definition.

  • Integrating OIM 9.1.0.2 - Active Directory NT 4.0

    Hi,
    I need to make the integration between:
    - Oracle Identity Manager 9.1.0.2
    - Active Directory NT 4.0,
    I found that connector according to the certification of Microsoft Active Directory User Management 9.1.1.7. The NT version of Active Directory is not supported than alternatives can be taken in this case.
    Very grateful for the support

    You should still be able to communicate with it via java ldap libaries so long as it is version "Windows NT 4.0 PDC release (the Windows 2000 alpha release)" or later.
    I would suggest you download the Sun Java System Directory connector. Go through the configuration lookups and change them to match the ldap values of Active Directory. Give that a shot. If it doesn't work, you'll most likely need to write your own connector using ldap libraries.
    -Kevin

  • Active Directory Structure Questions

    I recently started working for a company that offers cloud services for our clients where we host our software as a service and we also migrate any other applications the client is using onto the servers that we host for them.
    My concern is that every client we have is in our domain. The structure of our servers is that our domain is the top of the organization and each client has their own dc and that dc is listed as an organizational unit in our AD. I have never seen anything
    like it. Most of the clients have their own domains and web sites but we do not migrate that portion of their IT into our cloud. We do however bring everything else over and we offer O365 to many of them.
    Imagine if you will opening ad users and computers and under the root all the OU's are named after clients and actually represent their servers all of which are dc's.
    I was wondering what if any precedent would support this type of configuration? I am just asking.
    Thanks
    Richard Tamboli

    No Special hardware is required for Active Directory
    Active Directory is builtin feature for most of the Windows Servers such as Windows Server 2003, 2008,2008R2,2012.
    It is a feature and part of Windows Server.
    Hope this may answer your questions.
    http://en.wikipedia.org/wiki/Active_Directory

  • Active directory change question regarding affects on exchange 2013

    Good day,
      I have some universal security groups that are meant to be distribution groups in a 2008 R2 active directory forest.  These groups are being utilized by exchange 2013, I plan on turning these groups into global distribution groups in active
    directory (all changes will be made in active directory only, not in exchange).
      Question is; What will happen to the mail boxes using this group? Will it break the mailbox? How will users be affected?
     I plan on doing testing of my own but if someone else has already done this and has ran into issues this will help me out greatly.

    Hi ,
    Mail enabled security groups can be used for two purposes.
    1.Used to distribute emails to its members.
    2.Unlike mail enabled Distribution groups , Mail enabled security groups will have SID value , so it can be mapped on any resources (for eg : share folder ) to get the access permissions to it members.
    In your case ,You would like to change the scopes for the mail enabled security groups ,Before changing the group scopes just have a look in to the following link which states clearly about the group scopes and its usage.
    http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
    Please feel to reply me if you have any queries.
    Thanks & Regards S.Nithyanandham

  • OIM 9.1.0 Integration with Active Directory 2008 R2

    Hi,
    My customer is running Root/Child AD structure based on windows 2003 w/SP2, OIM 9.1.0 deployed under one of the child domains, and integrated with child domains controllers which runs windows server 2003 as well.
    My customer has decided to upgrade his AD to Windows Server 2008 R2 domain controllers across the entire AD Forest and still wants to integrate the current OIM v9.1.0 with AD for all of his Users provisioning and password synchronizations.
    Am not sure if current OIM version of OIM 9.1.0 is compatible and supported by OIM v9.1.0 under active directory version 2008 / R2, and not sure if it can be integrated with such AD version.
    Any guidance is really appreciated.
    Also I was thinking of such scenario but also not sure of its support ability and if OIM will keep working on such scenario, the scenario is to upgrade only the AD root domain to Windows 2008 R2 while keeping the child domain holding the OIM 9.1.0 at Windows 2003 version.
    Is this a working and supported scenario by OIM v9.1.0 ?

    I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
    -Bikash

  • Error running Organization Lookup Recon in OIM 11g R2 with Active Directory

    Hi all,
    I have an implementation of OIM 11g R2, with an Active Directory 11.1.1.5.0 connecting to an instance of Active Directory on Windows Server 2008. I am trying to run the "Active Directory Organization Lookup Reconciliation" scheduled task, but the job fails with this error:
    oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
    This is the full stack trace from the oim_domain.log file:
    oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
    at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:176)
    at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:115)
    at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:382)
    at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
    at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
    at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
    at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
    at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
    at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
    at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
    at sun.reflect.GeneratedMethodAccessor739.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.security.Security.runAs(Security.java:41)
    at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
    at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
    The Connector Server is installed on the AD instance, and the key has been set, and used appropriately in the Active Directory Connector Server IT Resource in OIM.
    Any advice on how to resolve this error or on any possible causes would be much appreciated, thank you.

    From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory
    Refer http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#CHDDJGIG

  • OIM 11gR2 user not provisioning to Active Directory (11.1.1.5 connector)

    Hello all,
    I'm trying to set up an OIM 11gR2 instance to work with Active Directory with the Active Directory 11.1.1.5.0 connector. I've full installed both OIM and AD on separate servers, and I've installed the AD 11.1.1.5 connector on OIM. I have configured Active Directory properly (connector on OIM and the connector server on the AD server-side), and have set up the two IT Resources on OIM. I can run, for example, the Active Directory Organization Lookup Recon job and have it return results in the Lookup window.
    My problem is that I cannot get it to provision to a user. I've created an Application Instance and Form for Active Directory, attached the Form, associated them with the appropriate resources (AD User), and added them to the Catalog, and then gone through the process of adding an account to the user, selecting the Application Instance, adding it to the cart, checking out, filling out the fields (Password, User ID, UPN, First Name, Last Name, Common Name, and Organization Name), and then submitting the request. This is all done as the xelsysadm admin user, but it still results with the account stuck on "Provisioning" because the "Create User" task failed due to a Connector Error (the reason stated is just a repeat of "Create Object" failed).
    Anyone know what I'm missing here?
    Thank you!
    Edited by: 939908 on Nov 12, 2012 6:36 AM

    Hey 833249, thanks for your reply
    The organization field attribute is filled in correctly, in that the OU I selected exists in AD.
    These are the errors listed in the connector server log:
    +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception occured during the creation of directory entry.+
    +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Message : Logon failure: unknown user name or bad password.+
    +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Stack Trace : at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)+
    at System.DirectoryServices.DirectoryEntry.Bind()
    at System.DirectoryServices.DirectoryEntry.get_NativeObject()
    at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1423
    +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Unable to get the Directory Entry+
    +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1456+
    at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.DirectoryEntryExists(String path) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1512
    at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 219
    ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry
    at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
    at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
    at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
    at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
    at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
    I'm not sure why the username/password error could be occurring, as those fields in the AD IT Resource are correct (I've run AD recon jobs that have connected properly). Is there something I'm missing?

  • Recon and provisioning of user-defined object class ICF Active Directory

    I have followed the documentation instructions for reconciliation of a user-defined object class in the ICF Active Directory connector. I am using OIM 11gR2 with the ICF Active Directory 11.1.1.5 connector patched to 11.1.1.5.0A. The procedure states to create the new object class in AD and then change the objectClass value in the Lookup.Configuration.ActiveDirectory lookup. In my case I am using the existing ObjectClass of contact, rather than a new object class. Just for completeness I am using a clone of the AD User Resource Object which I call AD User Contact and so my lookup name is Lookup.Configuration.ActiveDirCon.
    When I changed the ObjectClass from User to Contact, and ran the Active DirCon User Target Recon scheduled job, with Object Type also = contact. The first issue I noticed was that the connector wanted a different set of lookups, which is not in the documentation. It is looking for a lookup in my Configuration lookup where code key=contact Configuration Lookup (which I should have expected since there are code keys for User, Group, and organizationalUnit). I added a line to the lookup where code key=contact Configuration Lookup and the Decode=Lookup.ActiveDirCon.CM.Configuration and then I created a new lookup by that name, assigning the 5 values to be the Lookup.ActiveDirCon.UM.xxx lookups. I did not see any need to create a new set of Lookup.ActiveDirCon.CM.xxx lookups with the exact same values.
    I re-ran the scheduled job and it ran successfully, but did not generate any Recon Events, even though I had objects in the OU and I have that same OU in the Lookup.ActiveDirCon.OrganizationalUnits lookup (from the Org Lookup Recon). Everything looks good but getting no results. Looked at the log file from the ConnectorServer and it is building the query properly and executing it properly with the correct syntax, getting no errors, but the SearchAndReturnObjects method is returning zero results.
    Looking to see if anyone has successfully reconciled in user-defined or other non-User objectClass objects from Active Directory, and if so, can you provide Lookup configuration and Connector Server information so I can troubleshoot.
    I resolved this issue by changing the recon lookups to a blank lookup called Lookup.ActiveDirCon.CM.ReconAttrMap and only added in the parameters that are used by a Contact object. Only populate the ReconAttrMap with parameters that exist for the custom object.
    Edited by: Keith Smith AptecLLC on Mar 27, 2013 6:31 AM

    Oracle Support answered this question via SR

  • Error while trying to provision OIM user to Active Directory using SSL

    Hi All,
    I am able to see the users through LDAP browser using SSL but am getting the following error while trying to provision OIM users to AD using SSL.
    I am using Microsoft Active Directory connector type 9.11.
    Response: Connection Error encountered
    Response Description: Error encountered while connecting to target system
    I did some testing using "Diagnostic Dashboard" and the following are the results.
    Test Name: Target System SSL Trust Verification: Passed
    Test Name: Test Basic Connectivity: Failed
    Exceptions:
    ITResource information values are not correct. Enter the correct values.
    java.lang.reflect.InvocationTargetException
    javax.naming.CommunicationException: simple bind failed:
    unable to find valid certification path to requested target.Test Name: Test Provisioning:Failed
    Note: Without SLL all the above tests got Passed.
    Can anybody help me out from this issue.
    Thanks in advance.
    Pradeep Kumar.

    I am able to connect to AD using 636 port number from LDAP browser and as the following test got Passed i think that my certificatee should be correct.
    Test Name: Target System SSL Trust Verification.
    Input Parameters
    Target System: idm.orademo.com
    Port: 636 Certificate Store
    Location: /usr/java/jdk1.6.0_14/jre/lib/security/cacerts
    Result : Passed
    ITResource Values:
    ADAM LockoutThreshold Value     
    ADGroup LookUp Definition     Lookup.ADReconciliation.GroupLookup
    Admin FQDN     cn=Administrator,cn=Users,dc=orademo,dc=com
    Admin Password     *******
    Allow Password Provisioning     yes
    AtMap ADGroup     AtMap.ADGroup
    AtMap ADUser     AtMap.AD
    Invert Display Name     no
    Port Number     636
    Remote Manager Prov Lookup     AtMap.AD.RemoteScriptlookUp
    Remote Manager Prov Script Path     
    Root Context     dc=orademo,dc=com
    Server Address     idm.orademo.com
    Target Locale: TimeZone     GMT
    UPN Domain     orademo.com
    Use SSL     yes
    isADAM     no
    isLookupDN     no
    isUserDeleteLeafNode     no
    Thansk & Regards,
    Pradeep Kumar.

  • Problem in provisioning user from oim to active directory using ssl

    hi,
    problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
    15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
    15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
    AvailableAD():simple bind failed: 172.16.30.35:636
    15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
    me problems: Must set a query before executing
    com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
    at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
    at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
    at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
    at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
    nnectToAvailableNextAD(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
    archResultPageEnum(Unknown Source)
    at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
    known Source)
    at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
    ce)
    at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
    at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
    on.run(Unknown Source)
    at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
    at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
    ource)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
    ava:520)
    can any one help.
    Thanks and Regards,
    praveen,

    Are you able to connect to AD over SSL through some LDAP Browser ?
    Check the validity of Certificate ?
    Does your certificate appear in the list ?

  • Oim 9.1.0.1 to active directory using ssl

    Hi,
    I am working on OIM 9.1.0.1 and AD IS on WIN2K3 R2.
    I successfully installed CA certificate in AD Server as given in AD Connector Document 9.1.0.1 given below.
    Configuring SSL for Microsoft Active Directory
    To configure SSL communication between Oracle Identity Manager and Microsoft Active Directory, you must perform the following tasks:
    a) Installing Certificate Services
    b) Enabling LDAPS
    c) Setting Up the Target System Certificate As a Trusted Certificate
    a) Installing Certificate Services
    To install Certificate Services on the target system host computer:
    Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
    Note:
    1. Insert the operating system installation media into the CD-ROM or DVD drive.
    2. Click Start, Settings, and Control Panel.
    3. Double-click Add/Remove Programs.
    4. Click Add/Remove Windows Components.
    5. Select Certificate Services.
    6. In the Windows Components Wizard, follow the instructions to start Certificate Services.
    I selected Enterprise root CA as the CA type as said in AD connector Doc.
    b) Enabling LDAPS
    The target system host computer must have LDAP over SSL (LDAPS) enabled. To enable LDAPS:
    1. On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
    2. Click the Group Policy tab.
    3. Select Default Domain Policy.
    4. Click Edit.
    5. Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
    6. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
    7. Use the wizard to add a policy with the Domain Controller template.
    At the end of this procedure, the certificate is created and LDAPS is enabled on port 636. You can use an LDAP browser utility to verify that LDAPS is working.
    But my problem is i am not able to connect to AD over SSL through JExplorer LDAP Browser in AD Server itself.
    its saying Socket closed and some times binding failed.
    And Firewall is on and Telnet is happening to both 389 and 636 ports from outside AD Server and in AD Server
    Please give the solution to overcome this issue.
    regards
    Ramu

    Hi
    From Apache Directory Studio i am able to connect over SSL (port 636) to AD and also imported certificate in oim.
    In Diagnostic Dashboard Test Connectivy of AD i found the below error.
    ITResource information values are not correct. Enter the correct values.
    The root cause is . . .
    java.lang.reflect.InvocationTargetException
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
         at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
         at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:176)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(Unknown Source)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused by: javax.naming.CommunicationException: simple bind failed: adr.oimad.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
         at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at javax.naming.InitialContext.(InitialContext.java:197)
         at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
         at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source)
         at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
         at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
         at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
         ... 8 more
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
         at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
         at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
         at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
         at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
         at com.sun.jndi.ldap.Connection.run(Connection.java:805)
         at java.lang.Thread.run(Thread.java:619)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
         at sun.security.validator.Validator.validate(Validator.java:218)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
         ... 12 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
         at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
         ... 18 more
    regards
    Ramu

  • OIM Active Directory 2008 integration

    Hi All,
    Has anyone integrated (or being in the process of integrating just now) OIM 9.1 with Active Directory on a Windows 2008 Server using the AD 9.1 connector or a custom connector? Any problems or other experiences with such integration?
    The 9.1.1 connector will be cerfified for AD on Windows 2008 but the current connector 9.1 (or 9.1.0.1) is only cerfified for AD on Windows 2003 or 2000.
    Thanks,
    Albin

    I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
    -Bikash

  • OIM Integration with Active Directory Federation Services (ADFS)

    Hello friends
    I have a question about the integration of Oracle Identity Manager with Active Directory which is federated with another external directory for ADFS. My question is:
    What considerations should be to contemplate if I have an active directory federated environment when carrying out the integration with Identity Manager?
    I use version 9.1.0.2 of Oracle Identity Manager with Microsoft Active Directory Connector User Management 9.1.1.7
    Thanks for the support.

    First consideration is that the OIM's target ADFS - in the federated scenario, will that participate as a Service provider or identity provider. I would think identity provider.
    Next consideration: What all attributes are required to be played in the SAML assertion to the other end-point? All these attributes must be present and should be provisioned to the AD in this case.
    So, OIM should be set up (UDF etc) to provision all those attributes needed in the SAML.
    Next consideration: What all scenario to support? IdP initiated or SP initiated? If SP initiated, then process will hv to be defined if a user id does not exist in the AD of the OIM target. Will the request be failed or a in-time provisioning should happen.
    Hope this helps.

  • Ldap Sync: User is not able to create in Active Directory through OIM

    Hi ,
    I have enabled the ldap sync between OIM and Active Directory.
    Option 1: with password
    While creating the new user in OIM , I am getting the below error .
    80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Could not modify entry.[[
    javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
    remaining name 'cn=ADTESTLDAp10F ADTESTLDAp10LL,cn=Users,dc=cgtest,dc=adtest,dc=com'
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
      at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
      at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
      at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.modify(ConnectionHandle.java:301)
      at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.modify(BackendJNDI.java:781)
    [2013-08-04T17:06:58.840-07:00] [oim_server1] [ERROR] [OVD-60600] [oracle.ods.virtualization.engine.util.ADUtilities] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Cannot set password : LDAP Error 53 : [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0[[
    Looks like password is not able to set properly. But I am able to create the same user in AD using the same password.
    Option 1: without password
    Another testing, I have also tried to create user without password.  There is no error coming to log file. and I am able to see the below message in log file
    oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPPreProcessHandler] [APP: oim#11.1.2.0.0] [SRC_METHOD: createUser] User created in LDAP with GUID 9dc8f6f4b8564216a5d75d86f7cad0a2
    But user is not created in AD . this is another issue.
    Thanks,
    Amit

    Thanks for your reply.
    I have seen sample xml and my target looks the same
    <wlserver dir="${weblogic.domain.dir}"
                             port="${weblogic.domain.admin.server.port}"
                             servername="${weblogic.domain.admin.server.name}"
                             username="${weblogic.domain.admin.user}"
                             domainname="${weblogic.domain.name}"
                             password="${weblogic.domain.admin.password}"
                             configFile="config.xml"
                             generateConfig="true"
                             action="start"
                             beahome="${env.BEA_HOME}"/>
    my requirement is to use ant task.. otherwise I am able to create through configuration wizard
    Thanks

Maybe you are looking for

  • IMac G5 Hanging at spinning cog

    I first posted a request for help to this problem on another thread re spinng cog problems. Unfortunately no-one answered!  So I am posting it again in the hope that SOMEONE can help me or advise me as to what to do! I tried the various usggestions o

  • Business Transactions:  CRMD_ORDERADM_H

    I wanted to check whether the table CRMD_ORDERADM_H will also store the opportunity headers.  For example if I have an opportunity which is in the table CRMD_OPPORT_H can I find this same opportunity in CRMD_ORDERADM_H if I search for it and also wil

  • Field symbol has not been assigned when validate DEFAULT.LGF in BPC 75 SP10

    Hello Experts, We have upgraded our BPC 7.5 SP6 to SP10 recently and we are facking issues when validating DEFAULT.LGF in the system, here is the complete content of DEFAULT.LGF , can you help on this? we have activated the business content using UJS

  • OIM hangs at midnight ;(

    Hi. Has anybody faced the following problem with OIM 9031 at JBOSS 4.0.3 SP 1? The system scheduled task named 'Re-issue Audit Message Task' is configured to launch each midnight, and generates the following error, after which the application server

  • Black stain on the back of the camera

    What should I do?