OIM-OID connector group lookup recon

Hi Everyone,
I am trying to run group lookup recon using scheduled job OID Connector Group Lookup Reconciliation. I can run the recon sucesssfully if my base DN for OID is set to dc=com in the IT resource. and does not work when it is "dc=example,dc=com". The error is Failed: Error message can not be retrieved and cannot see any relavant information in the log files.
Also, I get an ADF error when i try to open the OID Connector OU Lookup Reconciliation.
java.lang.VirtualMachineError
ADF_FACES-60097:For more information, please see the server's error log for an entry beginning with: ADF_FACES-60096:Server Exception during PPR, #2
[2013-01-21T08:22:46.936+09:00] [oim_server1] [ERROR] [] [oracle.adfinternal.view.faces.config.rich.RegistrationConfigurator] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 498a5bc255145a67:-60b819ea:13c5a0de041:-8000-0000000000000470,0] [APP: oim#11.1.1.3.0] ADF_FACES-60096:Server Exception during PPR, #2[[
javax.servlet.ServletException: java.lang.InstantiationError: java.lang.VirtualMachineError
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:341)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
     at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
     at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
     at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
     at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
     at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
     at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
     at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.InstantiationError: java.lang.VirtualMachineError
     at sun.reflect.GeneratedSerializationConstructorAccessor251.newInstance(Unknown Source)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
     at java.io.ObjectStreamClass.newInstance(ObjectStreamClass.java:924)
     at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1736)
     at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1328)
     at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1946)
     at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1870)
     at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1752)
     at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1328)
     at java.io.ObjectInputStream.readObject(ObjectInputStream.java:350)
     at oracle.iam.scheduler.vo.JobHistory.getExceptionObject(JobHistory.java:79)
     at oracle.iam.features.scheduler.agentry.operations.LookupActor.prepare(LookupActor.java:1251)
     at oracle.iam.consoles.faces.utils.CanonicUtils.prepareOperation(CanonicUtils.java:169)
     at oracle.iam.consoles.faces.utils.CanonicUtils.prepareOperation(CanonicUtils.java:179)
     at oracle.iam.consoles.faces.render.canonic.UICursor$TableActionListener.processAction(UICursor.java:855)
     at javax.faces.event.ActionEvent.processListener(ActionEvent.java:88)
     at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcast(UIXComponentBase.java:675)
     at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:179)
     at org.apache.myfaces.trinidad.component.UIXCollection.broadcast(UIXCollection.java:148)
     at org.apache.myfaces.trinidad.component.UIXTable.broadcast(UIXTable.java:271)
     at oracle.adf.view.rich.component.UIXTable.broadcast(UIXTable.java:145)
     at oracle.adf.view.rich.component.rich.data.RichTable.broadcast(RichTable.java:402)
     at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
     at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
     at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
     at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
     at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
     at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
     at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
     at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
     at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:902)
     at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:313)
     at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:186)
     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     ... 41 more
Anyone help me in resolving these problems.
Thanks,
Bob
Edited by: user10104431 on Jan 21, 2013 5:04 AM

Any ideas please..

Similar Messages

  • Weird data obtained when running Task: AD Group Lookup Recon

    Hi,
    Im running the scheduled task named: AD Group Lookup Recon
    It works. and populates the lookup named Lookup.ADReconciliation.GroupLookup
    but when lookin in the design console, the Code Key and the Decode values have weird data ie:
    code key: 2~CN=TelnetClients,CN=Users,DC=adtest,DC=com     
    Decode: ADITResource~CN=TelnetClients,CN=Users,DC=adtest,DC=com
    in the code key there is an extra *2~*
    in the Decode is an extra ADITResource~
    I may think that it is some kind of coding for connector commands used in provision tasks, when I'm trying to provision an OIM user to Active Directory (in the Organization Lookup field) i get this data
    this is just one line:
    Value: 2~CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=adtest,DC=com      
    Description: ADITResource~CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=adtest,DC=com
    Any Ideas?
    Thank You.

    yes you are right, code key and decode key is because of the coding in the connector to distinguish lookup values coming from multiple IT resources.
    If you want to get rid of this [IT Resource~] you will have to modify the connector.
    One more thing looks like the base dn you have specified for lookup reconciliation is DC=adtest,DC=com with generic filter thats why you are getting entries like 2~CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=adtest,DC=com which may not be a group you want
    Hope this helps,
    Sagar

  • OIM-OID Connector: OID Group Recon Task and organizations

    Hi,
    I'm evaluating OIM and its OID Connector.
    We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
    However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
    What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
    We are using version 9.4.11 of the OID Connector.
    Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
    Thanks
    Eric
    Edited by: PeachEye on 17/03/2010 11:49

    Hi,
    I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
    I ran the schedule task- OID Group Recon Task, but it throws error-
    ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
    rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
    NamingException :Unable to search LDAP. Check the following values and try agai
    n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
    sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
    ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
    ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
    I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
    Please help.

  • OIM: OID Connector Issue

    Hey all,
    I downloaded and installed the new 11g version of the OID 11.1.1.5 connector without the connector server on OIM 11g BPO5. While trying to run the group lookup reconciliation scheduled task, it fails with below error:
    <Oct 30, 2012 8:51:01 PM PDT> <Error> <ORACLE.IAM.CONNECTORS.ICFCOMMON.RECON.LOOKUPRECONTASK> <BEA-000000> <oracle.iam.connectors.icfcommon.recon.LookupReconTask : execute : Error during execution
    org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; Remaining name: *'dc=mycompanydc=statedc=*type'
    at org.identityconnectors.ldap.search.LdapInternalSearch.execute(LdapInternalSearch.java:71)
    at org.identityconnectors.ldap.search.LdapInternalSearch.execute(LdapInternalSearch.java:59)
    at org.identityconnectors.ldap.search.LdapSearch.execute(LdapSearch.java:131)
    at org.identityconnectors.ldap.LdapConnector.executeQuery(LdapConnector.java:115)
    at org.identityconnectors.ldap.LdapConnector.executeQuery(LdapConnector.java:59)
    at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:105)
    at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:82)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:93)
    at $Proxy336.search(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:107)
    at $Proxy336.search(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:162)
    Caused By: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; Remaining name: *'dc=mycompanydc=statedc=*type'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
    at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:245)
    at org.identityconnectors.ldap.search.DefaultSearchStrategy.doSearch(DefaultSearchStrategy.java:60)
    at org.identityconnectors.ldap.search.LdapInternalSearch.execute(LdapInternalSearch.java:66)
    at org.identityconnectors.ldap.search.LdapInternalSearch.execute(LdapInternalSearch.java:59)
    at org.identityconnectors.ldap.search.LdapSearch.execute(LdapSearch.java:131)
    at org.identityconnectors.ldap.LdapConnector.executeQuery(LdapConnector.java:115)
    at org.identityconnectors.ldap.LdapConnector.executeQuery(LdapConnector.java:59)
    at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:105)
    at org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:82)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:93)
    at $Proxy336.search(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:107)
    at $Proxy336.search(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:162)
    >
    <Oct 30, 2012 8:51:01 PM PDT> <Warning> <oracle.iam.scheduler.vo> <IAM-1020035> <Error in exception object for job {0}
    java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1173)
    at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1527)
    at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1492)
    at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1409)
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1167)
    at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1527)
    at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:428)
    at java.lang.Throwable.writeObject(Throwable.java:293)
    at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1001)
    at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1478)
    at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1409)
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1167)
    at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1527)
    at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:428)
    at java.lang.Throwable.writeObject(Throwable.java:293)
    at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1001)
    at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1478)
    at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1409)
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1167)
    at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:336)
    at oracle.iam.scheduler.vo.TaskSupport.populateJobHIstory(TaskSupport.java:321)
    at oracle.iam.scheduler.vo.TaskSupport.logJobExecution(TaskSupport.java:206)
    at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:153)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
    Another thing is, the logs is not showing the basecontext properly i.e., *'dc=mycompanydc=statedc=*type' instead of *'dc=mycompany,dc=state,dc=*type'. The ',' seems to be missing in the logs.
    Please help.
    Regards,
    Sunny

    Whats is the value in SearchContext attribute value in scheduled task.
    It should be dc=mycompany,dc=state,dc=type
    And it should be present in your OID.

  • OIM AD connector- Groups added natively in AD getting deleted

    We are facing this issue with the OIM Ad connector- 11.1.1.5.0. The scenario is :
    1. OIM user get created
    2. OIM provisions user to AD and adds user to 2 groups ( 1 and 2)
    3. AD Administrator logs into the AD directly and adds 3 groups to the user ( Group3,Group4 and Group5)
    4. OIM admin goes to the resources tab and adds Group6 to the user from within OIM AD resource
    Shouldn't we see that the user account on AD be a member of group1,group2,group3,group4,group5 and group6. This is the expected behavior
    What we are seeing on the account is that only group1,group2 and group6 are visible.
    I understand the the groups - Group3,Group4 and Group5 will not be visible on the resource form unless we do a recon but OIM should not be DELETING groups added natively on AD
    Any help on this issue will be appreciated

    Thanks everyone. I do agree that the behavior should be such that all 6 groups should be visible on the user on the target (AD) system. However, we are seeing that the groups added natively within AD are getting deleted and OIM is "truing up" the user account with the groups that are added within the process form , i.e. the scenario described above. OIM is actually deleting the groups that were added manually on AD.
    If I do trigger a target recon, then I can see that all the groups are reflected on the user within OIM. However running this task every hour or rather every time I need to add an entitlement on a user is not a feasible solution,would you agree?. Also this is a limitation that cannot be placed on a helpdesk person. Rather , if this is the only solution , it should be a functionality of the connector.
    Please note that the connector deployed is v11.1.1.5.0 and NOT the 9.1.1.7. The 9.x connector did behave as expected , i.e it did not delete any groups. However the new ICF based connector is deleting groups. Is there a setting within the connector configuration to turn on/off this functionality?
    This is what I see in the connector server logs
    <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> GetDnFromPath, Message -> Exiting the method. Returning the value = CN=TEST6,CN=Users,DC=OIM,DC=Test,DC=com
    <VERBOSE>: Class-> CustomAttributeHandlers, Method -> UpdateDeFromCa_OpAtt_Groups, Message -> DirectoryEntry path = LDAP://xx.xx.xx.xxx/CN=Print,DC=OIM,DC=Test,DC=com. Removing: CN=TEST6,CN=Users,DC=OIM,DC=Test,DC=com from the property: member
    "PRINT" is the group that was added natively on AD.

  • OIM - OID Connector 9.0.4 - Incremental User Recon?

    I can't see how incremental user recon is implemented in this connector. Can anyone tell me if incremental user recon is possible with this connector and if so how to configure it to perform incremental user recon? There is no documented or default scheduled task property that seems to enable / disable this. The IT Resource has a Last Recon TimeStamp that is updated on each recon, but ALL users are reconciled each time the task is run even though there are no changes to the objects. I have also looked at the "Object Initial Reconciliation Date" field in RO and setting this date to a date in the past doesn't seem to have any impact.
    My OID install is 10.1.4.2 and my OIM install is 9.1.

    Although the documentation does not make any mention of it AT ALL, you need to add modifytimestamp to the ldapTargetResourceTimeStampField in the recon lookup attribute map. The modifytimestamp attribute in OID then needs to be indexed so that it can be used in the LDAP search the connector makes.

  • OIM OID CONNECTOR

    i interfaced OIM with Oracle 10 g database instance using database connector. i installed the connector using a database user account by giving some privileges (sysadmin which is admin account of that database instance was not able to install the connector,so i created a new database user and gave him the privileges by running OIM.bat file)
    now i m trying to interface OIM with OID. it says that system admin or any user with certain privileges can install a connector.
    The required permissions are the following:
    Form Designer (Allow Insert, Write Access, Delete Access)
    Structure Utility.Additional Column (Allow Insert, Write Access, Delete Access)
    Meta-Table Hierarchy (Allow Insert, Write Access, Delete Access)
    In that case which user can i use. may i use the admin credentials of OIM (xelsysadm) or do i need to create a new user with relevant privileges
    how can this be materialised?
    i m constantly getting INVALID_NAMING_ERROR while i try to provision OID IT Resource to the users in OIM.
    what can be the reason
    Edited by: user12240044 on Jan 12, 2010 8:43 PM
    i configured the target system by modifying the custom.bat file as follows :
    ldapmodify -h hostname -p 4389 -D "cn=orcladmin" -w "adminpassword" -c -f customRoleOccupant.ldif
    ldapadd -h hostname -p 4389 -D "cn=orcladmin" -w "adminpassword" -c -f customIndex.ldif
    ldapmodify -h hostname -p 4389 -D "cn=orcladmin" -w "adminpassword" -c -f customOrganizationalRole.ldif
    then i run the custom.bat file
    is it must to make modifytimestamp a searchable attribute. why is it needed?
    Edited by: user12240044 on Jan 12, 2010 9:02 PM
    Admin Id     cn=orcladmin,cn=Users,dc=ad,dc=infosys,dc=com
    Admin Password     ******
    CustomizedReconQuery     
    Last Target Delete Recon TimeStamp     
    Last Target Recon TimeStamp     
    Last Trusted Delete Recon TimeStamp     
    Last Trusted Recon TimeStamp     
    Port     389
    Prov Attribute Lookup Code     AttrName.Prov.Map.OID
    Recon Attribute Lookup Code     AttrName.Recon.Map.OID
    Root DN     dc=ad,dc=infosys,dc=com
    SSL     false
    Server Address     given
    Use XL Org Structure     true
    Edited by: user12240044 on Jan 12, 2010 9:39 PM

    Although the documentation does not make any mention of it AT ALL, you need to add modifytimestamp to the ldapTargetResourceTimeStampField in the recon lookup attribute map. The modifytimestamp attribute in OID then needs to be indexed so that it can be used in the LDAP search the connector makes.

  • Queuing/Retrying 'Rejected' status OID Process Tasks: OIM-OID provisioning

    Hello Gurus,
    I have already up and running environment with OIM, OID connector pack and OID as the target system. So when a user data (for e.g. a UDF) is being provisioned from OIM to OID target system; if a process task comes back with 'rejected' status due to target unavailability/OID down; then is there any settings that we can configure within OIM design console that queues up and retries these 'rejected' tasks related to each individual user?
    Is there any setting within any of the OID lookups such that we can set a retry count for such process tasks?
    The goal is without human intervention all these 'rejected' process tasks should run successfully and be set to 'completed' status. If the target system is unavailable then there should be a way to run all these failed tasks - is my assumption.
    Is it by anyway related to 'Offline Provisioning'?
    Please provide some guidelines.
    Thanks,
    - oidm.
    Edited by: oidm on Mar 16, 2010 10:34 PM

    But it'll only allow us to 'retry' those specific tasks for a limited number of times and limited period of time. And will this task be retried only if its 'rejected' or it'll be retried for whatever number of times we specified?
    What if the target system doesn't come up for the whole day? Can we specify some value for the same in 'Duration' fields?
    So all in all if we talk about retrying the failed/rejected tasks we just have these options in hand as far as task 'status' is concerned?
    Thanks,
    - oidm.

  • OIM - OID11g Connector Logging

    Hi All,
    I have updated the logging.xml as below to enable the logging for OIM -OID Connector 11.1.1.5.0 but I can't see anything in the file (File is created but it has no logs):
    <log_handler name='oid-handler' level='TRACE:32' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
    <property name='logreader:' value='off'/>
    <property name='path' value='/u01/oracle/iam_middleware/user_projects/domains/IAMdomain/oidconnector.log'/>
    <property name='format' value='ODL-Text'/>
    <property name='useThreadName' value='true'/>
    <property name='locale' value='en'/>
    <property name='maxFileSize' value='5242880'/>
    <property name='maxLogSize' value='52428800'/>
    <property name='encoding' value='UTF-8'/>
    </log_handler>
    <logger name="OIMCP.OID" level="TRACE:32" useParentHandlers="false">
    <handler name="oid-handler"/>
    <handler name="console-handler"/>
    </logger>
    Please help.
    Thanks
    Sunny

    Firstly I would normally manage OIM 11g logging through Oracle Enterprise Manager rather than directly in a logging.xml file, with log information appearing in the OIM server diagnostic log rather than a dedicated log file as you have done. That is not to say what you are doing is wrong (I cannot comment as I have never managed OIM 11g logging in this way.)
    The other thing that may be wrong is the logger you are using. You have logger OIMCP.OID. For my OIM11g OID connector logging I am using the standard logger of XL_INTG.OID.

  • OIM 11gR2 and AD Connector 11.1.1 Lookup Recon Tasks

    Hi All,
    I wonder how can I limit groups during Group and OU Lookup Recon tasks based on their distinguishedName? I tried to put a string "contains('distinguishedName','OU=xxxx')" in filter parameter for GroupLookupReconTask but it filtered everything out
    We have all of our groups in a separate OU so a better solution would be to set a base dn to go and look for groups but I can't do it in LookupReconTasks as there is no such a field during lookup recon tasks.
    I would appreciate any ideas how to achieve my goal.
    Thank you!

    Yes, I have tried that but that didn't work as in AD you just have a name of an element in CN. Beside that OU doesn't have a CN.

  • OIM-OID Provisioning - OID Group PrePopulate Approach :

    Hi,
    I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
    I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
    I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
    1) Created an Entity Adapter with a variable : say Org and GroupName.
    2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
    3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
    4) Mapped the Adapter variable as :
    a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
    b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
    However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
    Is my approach right ? Am I missing something ?

    Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
    1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
    2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
    3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
    Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
    -Kevin

  • OIM-OID! provisioning users to OID groups-QUICK HELP NEEDED

    hi,
    I've installed OIM connected to OID.
    I've been assign some tasks:
    1) Creating access policy such that when a user is created in OIM, he is provisioned to two groups in OID.... ie. in cn=users and cn=employees (where cn=employess is the group i create under cn=Groups,dc=ad,dc=company,dc=com)
    2)Creating an access policy such that when a user is created in OIM, he is provisioned to two additional groups in OID, say I've created two custom groups in OIM and attached membership rules to them. Now when i create a user satisfying the two membership rule,he is assigned to those two OIM groups and provisioned to cn=users,dc=ad,dc=company,dc=com and cn=group1,cn=Groups,dc=ad,dc=company,dc=com and cn=group2,dc=ad,dc=company,dc=com.
    Also i want to populate those OID groups into a child table and create their lookups in Process form
    Please help me materialise and understand these concepts.
    The OID Lookup Recon task for group is running fine, lookup.oid.group is populated with values.
    how those groups can be populated in process form child table(OID user group table).
    Edited by: Chhavi Saluja on Feb 12, 2010 12:51 AM

    As mentioned in my other post you can put these groups in access policy form and all the users assigned by this policy will get these groups. Any issue revert back.

  • OIM 11g R1: LDAPsync or OID Connector or both?

    Hello,
    at the moment we have ldapsync configured for user/roles provisioning/recon to OID.
    We have the requirement to manage two OIDs (test and prod) with one OIM systems. Both OIDs have the same users and roles!  LDAPsync is a 1:1 mapping and not possible to manage two destinations.
    Now we are thinking about a OID connectors.
    Here my questions:
    1. Is it possible to use ldapsync and OID connector together? Does make this sense?
    2. If using OID connector for role assignment and provisioning, is it possible to use the same role name for an application in both systems (e.g. role: xyz in prod and role: xyz in test?)
    3. We have OAM-OID-OIM integration. Here is ldapsync required, isnt it?
    4. Can i use OID connector alone without ldapsync. How does the user lifecycel (provisioning, reconicilation of user password) works?
    Many thanks in advance!

    any ideas?

  • OIM-OID Recon

    Hi,
    I'm currently trying to reconcile users (target recon) from OID and when I try to do that, I get the following error:
    Note : Its a fresh installation and I've made the necessary changes in the IT Resource and the Schedule Task.
    EBUG QuartzWorkerThread-0 XELLERATE.ACCOUNTMANAGEMENT - Class/Method: tcUtilityFactory/getRemoteUtility - Data: moUtil - Value: Thor.API.Operations.tcObjectOperationsClient
    DEBUG QuartzWorkerThread-0 XELLERATE.ADAPTERS - Class/Method: tcADPClassLoader/findClass entered.
    ERROR QuartzWorkerThread-0 XL_INTG.OID - ====================================================
    ERROR QuartzWorkerThread-0 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDUserReconciliationparseOrganizationUnit() error parsing the Organizational Unit. Returning as it is - ,dc=ad,dc=XYZ,dc=com
    ERROR QuartzWorkerThread-0 XL_INTG.OID - ====================================================
    ERROR QuartzWorkerThread-0 XL_INTG.OID - ====================================================
    ERROR QuartzWorkerThread-0 XL_INTG.OID - Exception in OID:tcTskOIDUserReconciliation:parseOrganizationUnit()String index out of range: -1
    ERROR QuartzWorkerThread-0 XL_INTG.OID - ====================================================
    DEBUG QuartzWorkerThread-0 XELLERATE.SERVER - Class/Method: tcDataBase/eventPreInsert entered.
    DEBUG QuartzWorkerThread-0 XELLERATE.SERVER - Class/Method: tcDataBase/tcDataBase left.
    DEBUG QuartzWorkerThread-0 XELLERATE.AUDITOR - Class/Method: AuditEngine/getAuditEngine entered.
    DEBUG QuartzWorkerThread-0 XELLERATE.SERVER - Class/Method: tcDataBase/eventPreInsert entered.
    DEBUG QuartzWorkerThread-0 XELLERATE.SERVER - Class/Method: tcDataBase/tcDataBase left.
    DEBUG QuartzWorkerThread-0 XELLERATE.DATABASE - select usr_key from usr where USR_LOGIN=? and USR_STATUS!='Deleted'
    INFO QuartzWorkerThread-0 XELLERATE.PERFORMANCE - Query: DB: 0, LOAD: 0, TOTAL: 0
    DEBUG QuartzWorkerThread-0 XELLERATE.RESOURCEMANAGEMENT - Class/Method: tcObjectOperationsBean/findObjects entered.
    DEBUG QuartzWorkerThread-0 XELLERATE.SERVER - Class/Method: tcDataBase/eventPreInsert entered.
    What I'm not able to figure out is : where from did this *,* come before dc=ad,dc=XYZ,dc=com. I've checked and re-checked all the mentioned values but couldn't figure this out.
    Also, I'm using the latest OID Connector, with the following parameters given in the schedule task :
    ConfigurationLookup : Lookup.OID.Configuration
    ITResourceName : OID IT Resource
    PageSize : 100
    Recon Attribute Lookup Code : AttrName.Recon.Map.OID
    SearchBase : dc=ad,dc=XYZ,dc=com
    SearchFilter : (objectclass=top)
    SearchScope : Subtree
    TargetResourceObjectName : OID User
    Regards

    I didn't find any Organization Unit mapping in any of the look up tables shipped in with the OID connector (Configuration, Recon, Prov, etc). So I manually entered a lookup value in the AttrName.Recon.Map.OID. (Code Key : Organization Unit, Decode Key : o) to map it to OID.
    Still, I'm getting the same error !! :(:(
    I'm able to successfully provision a user to OID though..
    Kindly help !!!!!!!!
    P.S. I wasn't facing any issue when I was using the old connector for OID. Things were going fine there, but facing issues with the latest version of OID connector.. :(
    Regards

  • OIM: New OID Connector Problem

    Hey all,
    I downloaded and installed the new 11g version of the OID connector without the connector server. While trying to run the group lookup reconciliation scheduled task, it fails.
    The following occurs in the .out file.
    Thread Id: 109     Time: 2012-08-14 13:24:42.339     Class: org.identityconnectors.framework.api.operations.SearchApiOp     Method: search     Level: OK     Message: Exception:
    org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'dc=company'
    My base DN is dc=company,dc=com

    I have typed it in by hand, both with and without quotes. When I use quotes I get the following error:
    org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.InvalidNameException: "dc=company: no close quote
    .. and yes, the quote is closed. This was in my IT resource.

Maybe you are looking for

  • Zen Vision M Problem, help please A

    Just got a Zen vision M, and its really pissing me off. I installed all the software, and plugged it into the computer. The blue light started flashing, and has been for the past 3-4 hours. I then tried plugging it into a wall adapter i have that has

  • VPN problems..  Cant connect due to tunneling issues.

    I cant log into my company intranet using my VPN..  other people at my company have no problem using their mac, but I cant seem to get in I get this error. Network Connect cannot establish a secure session.  Network Connect cannot start the tunneling

  • Issue with table selection and display the seleted rows in another page as a table data

    Dear ALL, I have a  requirement as below: I have a custom OAF  page having one button, on pressing the button it will open a popup window, in that i am doing search operation and data would populate in table region below. Then from the table i am doi

  • XSLT stylesheet template for Endeca Records

    Endeca Forge provides a Record Adapter which can load XML data, transformed (if required) to Endeca's XML record format by an XML Stylesheet Template (XSLT). This provides a way of getting XML into Endeca with a minimum of fuss, for data analysis, Po

  • Z10 water damaged

    Hi,  I have dropped my Z10 into the toilette. It was on, but when I've took it out it was off already. When I've tried to turn it on, red light appeared and for some seconds Blackberry logo appeared on the screen. The logo never reappeared again duri