OIM 11gR2 - AD Organizational Unit provisioning

hi,
i can provision OIM organization to AD Organizational Unit. Its work fine with "Provision Resource to Organization" forms but i can't find any simple way (without six steps form) to add AD organizational unit to OIM organization.
Have you any suggestion or hint?
a.

Hi IDM Newbie,
Please find the link of Developer Guide:-
http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/toc.htm
And following link is for Application Instances:-
http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/resmgt.htm#CBBFAIEC

Similar Messages

OIM 11gR2 user not provisioning to Active Directory (11.1.1.5 connector)

Hello all,
I'm trying to set up an OIM 11gR2 instance to work with Active Directory with the Active Directory 11.1.1.5.0 connector. I've full installed both OIM and AD on separate servers, and I've installed the AD 11.1.1.5 connector on OIM. I have configured Active Directory properly (connector on OIM and the connector server on the AD server-side), and have set up the two IT Resources on OIM. I can run, for example, the Active Directory Organization Lookup Recon job and have it return results in the Lookup window.
My problem is that I cannot get it to provision to a user. I've created an Application Instance and Form for Active Directory, attached the Form, associated them with the appropriate resources (AD User), and added them to the Catalog, and then gone through the process of adding an account to the user, selecting the Application Instance, adding it to the cart, checking out, filling out the fields (Password, User ID, UPN, First Name, Last Name, Common Name, and Organization Name), and then submitting the request. This is all done as the xelsysadm admin user, but it still results with the account stuck on "Provisioning" because the "Create User" task failed due to a Connector Error (the reason stated is just a repeat of "Create Object" failed).
Anyone know what I'm missing here?
Thank you!
Edited by: 939908 on Nov 12, 2012 6:36 AM

Hey 833249, thanks for your reply
The organization field attribute is filled in correctly, in that the OU I selected exists in AD.
These are the errors listed in the connector server log:
+11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception occured during the creation of directory entry.+
+11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Message : Logon failure: unknown user name or bad password.+
+11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Stack Trace : at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)+
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_NativeObject()
at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1423
+11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Unable to get the Directory Entry+
+11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1456+
at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.DirectoryEntryExists(String path) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1512
at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 219
ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry
at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
I'm not sure why the username/password error could be occurring, as those fields in the AD IT Resource are correct (I've run AD recon jobs that have connected properly). Is there something I'm missing?

How to pass Nested Organization Units (ou) for the provisioning purposes

I have defiend an Entity Adapter which would check the input string and create the Organization Units (such as ou=accounting, ou=finance, o=mycompany) tree and then update the Orgainzation name of Novell Edir User with this new value. The input string is from the Peoplesoft as trusted resource (we use some complext business logic to map to the proper ou tree structure in the Novell Edirectory).
But, I got the cACT/eventPreUpdate Error :Dataobject contains invalid characters
when OIM trying to create the user before provisioning to Novell Edirectory.
Since the ou tree sturcture is used by the pSearchbase during Novell Edir provisioning process, and it should be in the form of ou=accounting, ou=finance, o=mycompany, I am wondering if you know how to solve this problem.
Thanks
Ken Huang

ILovePlSql wrote:
V_bom_header_tbl.assembly_item_name:= l_bom_header_tbl(i).assembly_item_name ;
v_bom_header_tabl is a record type and l_bom_header_tbl is a table type .So is the above statement ok?I asked you for type definition. Please provide definition of BOM_BO_PUB.BOM_HEADER_TBL_TYPE and Bom_Bo_Pub.Bom_Head_Rec_Type. If BOM_BO_PUB.BOM_HEADER_TBL_TYPE is table of Bom_Bo_Pub.Bom_Head_Rec_Type then your statment is OK. For example:
SQL> declare
2      type BOM_HEADER_TBL_TYPE is table of emp%rowtype index by binary_integer;
3      l_bom_header_tbl BOM_HEADER_TBL_TYPE;
4      V_bom_header_tbl emp%rowtype;
5 begin
6      select * bulk collect into l_bom_header_tbl from emp;
7      for i in 1 .. l_bom_header_tbl.count loop
8        V_bom_header_tbl.ename := l_bom_header_tbl(i).ename;
9      end loop;
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> SY.

Pre-populate Organization to the self registration request in OIM 11gR2 PS1

Hi All
I want to know if there is a way to pre-populate Organization to the self registration request in OIM 11gR2 PS1.
I am trying to configure auto approval and for that I need to add org to the request.
Thanks

Hi,
you can look into the following post : https://forums.oracle.com/message/10830661
Thanks

Organization Admin control in OIM 11gR2

Hi,
I was trying to configure Organization Admin control in OIM 11gR2. Our requirement is to configure roles having read access of organization (members of this role can only see the members of the organization but cannot update it), roles having admin control on organization (where members of this roles can read/write/execute member access). There should be different set of roles having access on different organization where members from one role cannot access the members of the other organization. I tried to configure these security models but the only thing i could find in organization is Admin Roles which also i couldn't able to configure very well :(. Can someone point me to the correct documentation or procedure/tool which we should use to achieve such functionality (These functionalities are very easily available in OIM 10g but couldn't find in 11gR2 :( )

If you add the members of a role to the Admin Roles of a given Organization (Specifically OrclOIMOrgViewer Admin Role). The users will be able to see the users in that organization.
A few things to consider:
Only xelsysadm or a users in the System Administrator Admin Role can assign users to Admin Roles within the scope of an Organization.
Here is a piece of code that you can use to programmatically add users to the Admin Role OrclOIMOrgViewer:
public List getScopedAdminRoleMemberships() { // This one gets the list of all admin roles scoped by Organization
Hashtable env = new Hashtable();
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
OIMClient oimClient = new OIMClient(env);
try {
oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
} catch (LoginException e) {
throw new RuntimeException(e.getMessage(), e);
AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
return adminRoleSvc.getScopedAdminRoles();
public AdminRoleMembership addAdminRoleMembershipFor(String userId, AdminRole role, String scopeId) { // This method adds the user identified by userId (pass usr_key not usr_login) to the Admin Role in Org whose key (act_key) is
// passed as a parameter in the scopeId.
AdminRoleMembership membership = new AdminRoleMembership();
membership.setAdminRole(role);
membership.setUserId(userId);
membership.setScopeId(scopeId);
Hashtable env = new Hashtable();
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
OIMClient oimClient = new OIMClient(env);
try {
oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
} catch (LoginException e) {
throw new RuntimeException(e.getMessage(), e);
AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
return adminRoleSvc.addAdminRoleMembership(membership);
This should give you what you need. Remember, the API's work with act_key and usr_key values don't use Org Names or User Logins.
Hope this helps.
Regards
Alex Lopez

Account stuck in Provisioning state in OIM 11gR2

Hello,
In OIM 11gR2, when provisioning fails, the application still shows in the accounts tab of the user, but it is stuck in the "Provisioning" state. I don't know if it's standard behavior, but it always does this for me. When this problem occurs, the only way I have found to remove the entry from the applications list is to completely delete the application instance and re-create it. Is there a cleaner way of removing the stuck account ? The "Remove Account" button does nothing for me.
Thanks,
--jtellier

Rajiv Dewan wrote:
BDW, if something goes wrong while doing provisioning then you can retry the rejected task (after fixing the issue) instead of initiating provisioning again with new instance. It will mark your existing incomplete instance as PROVISIONED.Oh, thanks, I had not realized that...
--jtellier

Provisioning users to AD groups in OIM 11gR2

I could use some advice on how to resolve this issue I am having.
Using the Active Directory connector (11.1.1.5) in our OIM 11gR2 development environment I can successfully provision OIM users to our AD resource. I have successfully run the org and group lookup recons, and provisioned users do go into the correction ou in AD.
However when I select which groups a user should be a member of in the ADUSERC child form (via the lookup), the user is not provisioned with the correct group membership in AD.
A separate issue is how to map the objectClass in AD in the ProvAttrMap; could anyone point me in the direction of how to go about that?
Thanks

The ObjectClass should be configured in this lookup Lookup.Configuration.ActiveDirectory
Check below
http://docs.oracle.com/cd/E22999_01/doc.111/e20347/extnd_func.htm#sthref221
4.6 Configuring the Connector for User-Defined Object Classes

Cannot provision Exchange 2003 account in OIM 11gR2

Hello,
I'm trying to provision Exchange 2003 accounts from OIM 11gR2 but I keep getting errors. My AD connector works and is able to reconcile and provision account and my Exchange connector is linked to it. I've understood that the only mandatory fields in the Exchange 2003 provisioning form are "mail store name" and "alias", so I've tested by only filling those. However, the provisioning does not complete and the logs show this error :
[2013-01-25T11:46:19.292-05:00] [oim_server1] [ERROR] [] [XELLERATE.ADAPTERS] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: b70c24a5215a6ee3:-625a909b:13c6d3ae4c5:-8000-0000000000002b50,0] [APP: oim#11.1.2.0.0] Class/Method: tcAdpEvent/getITAttrVal encounter some problems: Could not find attibute value for IT Resource Key = 0 and attribute = Server Address
[2013-01-25T11:46:19.293-05:00] [oim_server1] [ERROR] [] [XELLERATE.ADAPTERS] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: b70c24a5215a6ee3:-625a909b:13c6d3ae4c5:-8000-0000000000002b50,0] [APP: oim#11.1.2.0.0] Class/Method: tcAdpEvent/getITAttrVal encounter some problems: Could not find IT asset value for Svr_key = 0 and attribute = Server Address
[2013-01-25T11:46:19.293-05:00] [oim_server1] [ERROR] [] [XELLERATE.ADAPTERS] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: b70c24a5215a6ee3:-625a909b:13c6d3ae4c5:-8000-0000000000002b50,0] [APP: oim#11.1.2.0.0] Class/Method: tcAdpEvent/getITAttrVal encounter some problems: DATA_ERROR[[
com.thortech.xl.dataobj.util.tcAdapterTaskException: DATA_ERROR
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getITAttrVal(tcAdpEvent.java:2023)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpMEXCCREATEMAILBOX.implementation(adpMEXCCREATEMAILBOX.java:90)
at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
That's the only error I see and I'm not really sure about what it means. Any ideas?
Thanks,
--jtellier

Are you using the version 9 or 11 of the connector? I've done more investigations with version 9 and realized that the DB is not correctly updated by the connector. I've reported the problem with Oracle and a bug has been open. Here are the details :
When reconciling or provisioning a mailbox, a new row is added in the OIU table. This row has "null" as its APP_INSTANCE_KEY. Manually setting the Exchange's app instance key as the value of this column solves the problem.
Hope this helps!
--jtellier

Uninstall AD Connector in oim 11gR2

Hi,
I want to uninstall AD connector (.NET version 11.1.1.5.0) from oim 11gR2. For this, i run uninstallConnector.sh but i got this error . Do you have any idea ?
Thanks.
DEBUG,27 Nov 2012 11:32:07,475,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD Group
DEBUG,27 Nov 2012 11:32:07,476,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD Group
DEBUG,27 Nov 2012 11:32:07,476,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD Organizational Unit
DEBUG,27 Nov 2012 11:32:07,477,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD Organizational Unit
DEBUG,27 Nov 2012 11:32:07,477,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD User
DEBUG,27 Nov 2012 11:32:07,478,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD User
DEBUG,27 Nov 2012 11:32:07,478,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD User Trusted
DEBUG,27 Nov 2012 11:32:07,478,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD User Trusted
DEBUG,27 Nov 2012 11:32:07,479,[ConnectorUninstall.log],Exiting Method: checkAndPrintAttestationTask of Class: UninstallUtility
DEBUG,27 Nov 2012 11:32:07,479,[ConnectorUninstall.log],Entering Method: deleteReconciliationData of Class: UninstallUtility
DEBUG,27 Nov 2012 11:32:07,479,[ConnectorUninstall.log],Getting ReconConfigService instance.
DEBUG,27 Nov 2012 11:32:07,500,[ConnectorUninstall.log],Successful in getting ReconConfigService instance.
*DEBUG,27 Nov 2012 11:32:07,501,[ConnectorUninstall.log],Deleting the reconciliation profile for the resource object: AD Group*
Exception in thread "main" oracle.iam.reconciliation.exception.ConfigException: oracle.mds.core.MetadataNotFoundException: MDS-00013: no metadata found for metadata object "/db/AD Group"
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.getProfileFromMDS(CoreProfileManagerImpl.java:395)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.getProfile(CoreProfileManagerImpl.java:381)
at oracle.iam.reconciliation.impl.config.ProfileManagerImpl.getProfile(ProfileManagerImpl.java:163)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy439.getProfile(Unknown Source)
at oracle.iam.reconciliation.impl.ReconConfigServiceImpl.deleteProfile(ReconConfigServiceImpl.java:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy438.deleteProfile(Unknown Source)
at oracle.iam.reconciliation.api.ReconConfigServiceEJB.deleteProfilex(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy437.deleteProfilex(Unknown Source)
at oracle.iam.reconciliation.api.ReconConfigService_66l8sr_ReconConfigServiceRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at oracle.iam.reconciliation.api.ReconConfigService_66l8sr_ReconConfigServiceRemoteImpl.deleteProfilex(Unknown Source)
at oracle.iam.reconciliation.api.ReconConfigService_66l8sr_ReconConfigServiceRemoteImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.mds.core.MetadataNotFoundException: MDS-00013: no metadata found for metadata object "/db/AD Group"
at oracle.mds.core.MetadataObject.getBaseMO(MetadataObject.java:1331)
at oracle.mds.core.MDSSession.getBaseMO(MDSSession.java:3200)
at oracle.mds.core.MDSSession.getMetadataObject(MDSSession.java:1190)
at oracle.mds.core.MDSSession.getMetadataObject(MDSSession.java:1136)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.getProfileFromMDS(CoreProfileManagerImpl.java:390)
... 60 more

Yes, i did.
I created profile from design console for AD Resource objects. Then i am getting this error;
ey = atr.apd_key AND atr.atr_key = apt.atr_key AND apt.apt_key = atd.apt_key AND atd.oiu_key = oiu.oiu_key AND oiu.obi_key = obi.obi_key AND obi.obj_key = obj.obj_key AND obj.obj_name = ?
DEBUG,27 Nov 2012 13:08:07,589,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD Group
DEBUG,27 Nov 2012 13:08:07,590,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD Group
DEBUG,27 Nov 2012 13:08:07,590,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD Organizational Unit
DEBUG,27 Nov 2012 13:08:07,591,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD Organizational Unit
DEBUG,27 Nov 2012 13:08:07,591,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD User
DEBUG,27 Nov 2012 13:08:07,592,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD User
DEBUG,27 Nov 2012 13:08:07,593,[ConnectorUninstall.log],Executing the Prepared Statement for the ResourceObject: AD User Trusted
DEBUG,27 Nov 2012 13:08:07,594,[ConnectorUninstall.log],Successfully executed the Prepared Statement for the ResourceObject: AD User Trusted
DEBUG,27 Nov 2012 13:08:07,594,[ConnectorUninstall.log],Exiting Method: checkAndPrintAttestationTask of Class: UninstallUtility
DEBUG,27 Nov 2012 13:08:07,594,[ConnectorUninstall.log],Entering Method: deleteReconciliationData of Class: UninstallUtility
DEBUG,27 Nov 2012 13:08:07,594,[ConnectorUninstall.log],Getting ReconConfigService instance.
DEBUG,27 Nov 2012 13:08:07,622,[ConnectorUninstall.log],Successful in getting ReconConfigService instance.
*DEBUG,27 Nov 2012 13:08:07,622,[ConnectorUninstall.log],Deleting the reconciliation profile for the resource object: AD Group*
Exception in thread "main" oracle.iam.reconciliation.exception.ConfigException: Path :: /db/RA_ADGROUPA80D3C22.xml
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.removeFromMDS(CoreProfileManagerImpl.java:364)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.removeStagingEntityDef(CoreProfileManagerImpl.java:346)
at oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl.remove(CoreProfileManagerImpl.java:314)
at oracle.iam.reconciliation.impl.config.ProfileManagerImpl.remove(ProfileManagerImpl.java:154)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
Thanks.

Pre populate adapter in OIM 11gr2 not triggered in database

Hello,
Folowing is the steps for creation of pre populated adapter in OIM
** we have created one form in OIM which is provisioned to Database**
Steps
· Installed GTC connector for Database Web App 9.*
· Created new user and Table in Database
· Created IT resource for Database
· Created Sandbox, App Instance and Form, published sandbox
· Started catalog synchronization job scheduler
· Created user and and request account to app instance.
* select application instance to catalog and checkout.
** we have created adapter as per the following link
http://idmrockstar.com/blog/2009/08/how-to-create-a-prepopulate-adapter-in-oim/
create a pre populated adapter that will populate the firstname of user in email using java class
source code:
public class AdapterClass{
public String email( String fname )
return fname;
Steps:
1) In the design console I have open the Adapter Factory and create a new adapter name :firstname
adapter type: pre-populate rule generator
click on save
2) select variable list tab:
variable name:Firstname
type:String
Map to : Resolve at runtime
click on save
3) select Adapter Task tab
* click add and select logical task
* select SET VARIABLE and click continue
* Operand Type:variable
* Operand Qualifier : FIrstname
click save and save the adapter
4) compile the java class into jar file and move the jar file into OIM_HOME\server\JavaTasks
5)Create a new Adapter with the following"
Adapter name:Email
Adapter type: Pre-populate rule Generator
click save
6) select variable list tab:
variable name: var1
Type:String
Map to:Resolve at runtime and click save
7) select Functional Task tab:"
select java click continue
select the following information:
Task name:email
Api source: JavataskJar:Adapterclass.jar( the jar file which you have create)
application api: adapteclass
click save
8) In the Application method parameters,select the first input: String
Cange Map to:Adapter variables
Set the name to:var1 and click save
9) select the output:STring
change map to:Adapter variables
set name to: return variable
10) click save and save the adapter and click on Build
Adapter is now build the next step isto join it to the form
** join the adapter to the form**
Steps:
1) click on form designer and search the related form which we have created
2) In the respective form click on create a new version and create a new version
3) and then click on Pre populate tab and click on ADD
4)select adapter field to firstname
Rule : default
Adapter : Firstname
and click on save
5) In the adapter variable field click on firstname and fill the following
map to: Process data
Qualifier : firstname
6) Repeat steps 3 to 5 to map the email adapter
7) click on save.
Now we have done with all the steps and now we have created one User submit the user
we have click on request acounts ---> search the catalog and select the application instance (select the app instance "database provisioning") ---> add to cart ---> and check out ---> fill the form leaving email field --> ready to submit ---> submit
now we have check this user in database but still pre populated fields are not reflected. since this not working so we have found the other three links
Re: OIM 11gR2 - Prepopulate Field Empty Problem
http://fusionsecurity.blogspot.in/2013/01/populating-request-attributes-in-oim.html
http://identityandaccessmanager.blogspot.in/2011/07/prepopulate-adapter-in-oim-11g.html
according to these links they mention to implements the prepopulationadapter interface into the java class and create the plugin.xml for the class which we have used in jar.
so we prepared a plugin.xml
<?xml version="1.0" encoding="UTF-8" ?>
<oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<plugins pluginpoint="oracle.iam.request.plugins.PrePopulationAdapter">
<plugin pluginclass= "com.oracle.demo.iam.prepop.plugin.UserLoginPrePop" version="1.0" name="UserLoginPrePop">
<metadata name="PrePopulationAdapater">
<value> My_users::email</value>
</metadata>
</plugin>
</plugins>
</oimplugins>
and the java class which implements "PrePopulationAdapter".
they mention to put that jar into one directory named "lib"and paste the xml and lib folder into the OIM_HOME\server\plugin
BUt we stuck on how to configure the adapter or what is the next steps for the above process. or there is something that we have missed in the process
please do reply its urgent
Regards,
Tushar Palekar

hii i have followed all your steps regarding the pre populated adapter ,but no luck.
java code :
package com.oracle.demo.iam.prepop.plugin;
import java.io.Serializable;
import oracle.iam.request.plugins.PrePopulationAdapter;
import oracle.iam.request.vo.RequestData;
public class Userfname implements PrePopulationAdapter {
public Serializable prepopulate(RequestData requestData){
String fname = "xyz";
System.out.println("Returning fname ==== " + fname );
return fname ;
2)i have create a jar for this code and paste it into lib folder.
3) i have create a plugin.xml
<?xml version="1.0" encoding="UTF-8" ?>
<oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<*plugins pluginpoint="oracle.iam.request.plugins.PrePopulationAdapter">*
*<plugin pluginclass= "com.oracle.demo.iam.prepop.plugin.Userfname" version="1.0" name="Userfname">*
*<metadata name="PrePopulationAdapater">*
*<value>register::LAST_NAME</value>*
*</metadata>*
*</plugin>*
*</plugins>*
*</oimplugins>*
4)i register the plugin using ant -f pluginregistration.xml register
5)i have restartthe oim server and then i create a user using the same app instatnce in which i have create the form(ie.register),and
request acount-->select app instance ---> add to cart
but the last name xyz as per the java code is not reflected in the dadbase table.
please help
tushar palekar

Replicating the app functionality from OIM 10g to OIM 11gR2

Hi,
I have a resource object with an object form and a process form and approval, provisioning configured in OIM 10g design console. Provisioning is manual provisioning assigned to a particular group based on a task assignment adapter. For replicating the same in OIM 11gR2 i followed the following steps.
1. Created a Resource object in Design console.
2. Created a dummy IT Resource ( Since while creating app instance it is having IT Resource as Mandatory field. * Is there any way to skip this as i do not have any IT resource in my original app as it is going for manual provisioning?)*
3. Created a process form in Design Console with the same fields as present in my 10g app process form.
4. Now i need to Create an app instance and select the created resource object and IT resoource. Also i need to create a form associated with the app instance in which i will add the fields as present in the object form in my 10g app. ( Here i am not understanding how data will flow from object form to process form since there is no data flow mapping here)
5. Other steps like creating the SOA composite with human tasks and deploying it and after that creating approval policies is pretty much clear.
Please clarify whether the steps are correct and also the queries which i have posted in between. Thanks in advance.
Regards,
Durgaprasad
Edited by: Durgaprasad on Jan 17, 2013 3:38 AM

Thanks Gyanprakash. Wll disconnected resource trigger our custom approval process if we select the resource name properly in scope in operational level approval policy. Have you tried a disconnected resource with your custom approval process. Because i read the following lines in admin guide
Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.
So i thought disconnected app instance will have its own approval process configured during the creation and it will route accordingly. So just wanted to clarify how to make disconnected app instance to trigger our approval. will approval policay take care of it as i am going to select the name of the disconnected app in the scope field.

Need information on OAM 11gR2 protecting OIM 11gR2

Hi All,
I need to implement a solution wherein I have to protect OIM 11gR2 application using OAM 11g2.
So in this case the identity store for OIM is the normal Oracle database and we have used the generic LDAP connector to provision the users to a LDAP directory which is the identity store for OAM.
I have gone through the OIM integration with OAM and it talks about a lot of steps involving extension of the identity store for both OIM and OAM,(Integrating Access Manager and Oracle Identity Manager - 11g Release 2 (11.1.2))
In my case I don't need the features like centralized password management functionality...we only want to protect the OIM application.
So is it possible to enable SSO without
1)Externalizing the identity store of OIM to the LDAP directory which is the identity store for OAM,and hence not running the LDAP sync utility
Also can you please guide me to a document that specifies the steps.
Thanks

Hi Thiago,
Thanks for your replies.
Yes, I followed certification matrix and tried to install 11.1.1.6 only on wlserver 10.3.6.
Can you please eloborate on the below points? Or If there are any urls for detailed steps, please provide them.
-What you have to do:
+2.1-On Application Server Navigator you can create types of connection:+
+2.2-Integrated WLS option+
+2.3-Standalone WLS option+
+2.4-This first option you can install a local standalone WLS 10.3.6 server on your environment, then create a separate "integrated WLS" connection to the standalone server.+
+2.5-Then go to your Application's properties through the Application menu -> Application Properties -> Run -> Bind to Integration Application Server option you can the brand new option created WLS server connection to work with your application.+
+3.0- Don't forget that you need to install the ADF Runtimes for the server to be able to work with ADF applications+

OIM 11gR2- Approved Requests remain in Operation Initiated Status

Hi,
We are using OIM 11gR2 and we are seeing the following behaviour whenver we request for Application Instance
1) End User logs in and requests for Application Instance.
2) The request is created and assigned to the manager for approval.
3) Manager logs in and approves the request.
4) The Requested resource is assigned to the user and the status of the resource is Provisioned. All the tasks in the Resource History are in Completed status.
5) If we see the status of the request, it remains in Operation Initiated status.
We expect the status of the Request to be Request Completed and not remain in Operation Initiated. We are sending a mail notification to the manager once resource is provisioned.
If we remove the notification part, the status of the Request is coming as Request Completed as expected. However with notification getting triggered we are getting problem.
Please suggest a solution.
Thanks and Regards,
Mayuri
Edited by: 943112 on Mar 11, 2013 7:09 AM

Usually after the request is approved and if there is any pending task in provisioning it goes to 'Post Operation Processing Initiated' status. If 'Task to Object Status' mapping is not done properly the request stays in the same status even though all the tasks are completed.
check this link for various request status
http://docs.oracle.com/cd/E27559_01/user.1112/e27151/req_mangmnt_user.htm#BGBGIIDH
In your case it is going to 'Operation Initiated' status when notification is attached. Can you tell where have you triggered notification? In SOA approval task or in Provisioning process? If it is in SOA check whether proper status is returned to the callback webservice after that. Else if it is in provisioning check for task object status mapping.

OIM 11gR2 : User groups not visible on UI

Hello Experts,
I have a requirement in which i need to assign the user provisioned to AD to some group(s) depending upon certain conditions like BU, Location etc. I created a Process Task adapter for the same and am able to successfully assign the users to the desired groups.
But i am able to check for this validity from the Backend only.
Ideally the groups assigned to the user must be visible after following these steps:
*1. Search for a user provisioned to AD.
2. Go the the Accounts tab.
3. Click on the AD account (to which the user has been provisioned)
4. A process form is displayed in the lower half of the webpage which also shows the information regarding the groups assigned to the User. But the groups are not getting displayed.*
Kindly Help.
Edited by: IDM_newbie on Jan 24, 2013 11:24 PM

But sir, the groups are listed under the Accounts tab. Is there any schedule job provided by OIM 11gR2 which results in the display of Groups assigned to the user as well under the Accounts tab ?
Edited by: IDM_newbie on Jan 25, 2013 1:51 AM

Request dataset in OIM 11gr2

Hi Experts,
I have integrated OIM 11gR2 with Siebel and able to provision by xelsysadm. My requirement is End User will be raising request for siebel resource and approval workflow associated with is triggered.
1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end user
2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?
4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?
Regards
A Abhinay

1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end userEnd user will see Application Instance Form and you can customize the UI to hide attributes
2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
Make your Java Code/Beans/Expression to show/hide attributes conditionally.
3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?Application Instance Form
4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?Approval Policies

OIM 11gR2 - AD Organizational Unit provisioning

Similar Messages

Maybe you are looking for