OVD/OID group reconciliation in OIM 11g with LDAP sync

Similar Messages

• Transformation during LDAP Sync reconciliation in OIM 11g

  Does anyone know if the use of transformations is supported in LDAP Sync reconciliation in OIM 11g?
  The reconciliation of LDAP User records is defined in /db/LDAPUser in the OIM metadata. The default version of this file has entries to specify OneToOne transformations, e.g.
  <Transformation name="OneToOne">
  <Parameter name="givenname" fieldname="givenname"/>
  </Transformation>
  For one of my attributes I wish to perform a custom transformation, and have implemented a transformation method as a GC provider (i.e. developed a Java class implementing the TransformationProvider interface and defined this Transformation in an xml file in the metadata path /db/GTC/ProviderDefinitions. I have uploaded a new version of LDAPUser that references my custom transformation provider for one of the LDAP attributes.
  When I try and perform an LDAP Sync user reconciliation, my custom class does not seem to be getting called when I generate a reconciliation event for the affected attribute. I also do not see any logs indicating a failure to load my provider. I have also turned up all the relevant log levels I can identify, and can see no record of OIM doing anything related to transformationat all (e.g. even calling the standard OneToOne transformation provider).
  I am suspicious that although LDAPUser has transformation entries, this may be misleading and transformation is not being performed at all for LDAP Sync.
  Does anyone else have experience of using transformation providers during LDAP Sync reconciliation?

  Thanks for your reply Nishith
  I need some suggestion from you.I have installed OID 11.1.1.6.0 and OIAM 11G R2(not configured ).
  while performing the OIM configuration can I use Enable Ldap sync or I need to finish the OIM configuration first and then do the ldap sync.
  Regards
  sri

• Bulk load in OIM 11g enabled with LDAP sync

  Have anyone performed bulk load of more than 100,000 users using bulk load utility in OIM 11g ?
  The challenge here is we have OIM 11.1.1.5.0 environment enabled with LDAP sync.
  We are trying to figure out some performance factors and best way to achieve our requirement
  1.Have you performed any timings around use of Bulk Load tool. Any idea how long will it take to LDAP sync more than 100,000 users into OID. What are the problems that we could encounter during this flow ?
  2.Is it possible we could migrate users into another environment and then swap this database for the OIM database? Also is there any effective way to load into OID directly ?
  3.We also have some custom Scheduled Task to modify couple of user attributes (using update API) from the flat file. Have you guys tried such scenario after the bulk load ? And did you face any problem while doing so ?
  Thanks
  DK

  to Update a UDF you must assign a copy value adpter in Lookup.USR_PROCESS_TRIGGERS（design console / lookup definition）
  eg.
  CODE --------------------------DECODE
  USR_UDF_MYATTR1----- Change MYATTR1
  USR_UDF_MYATTR2----- Change MYATTR2
  Edited by: Lighting Cui on 2011-8-3 上午12:25

• How to update UDF in OID11g(OIM 11g configured with LDAP SYNC)

  Hi All,
  I have configured OIM11g with LDAP SYNC and it is working fine. i have added some UDF on the user creation form and the same attributes has been created on OID as well. Now, when i create users on OIM with these custom attributes the values are not getting updated on OID resource, can anyone please let me know how to update these attributes on OID?
  Thanks in advance,

  to Update a UDF you must assign a copy value adpter in Lookup.USR_PROCESS_TRIGGERS（design console / lookup definition）
  eg.
  CODE --------------------------DECODE
  USR_UDF_MYATTR1----- Change MYATTR1
  USR_UDF_MYATTR2----- Change MYATTR2
  Edited by: Lighting Cui on 2011-8-3 上午12:25

• Trusted Reconciliation in OIM 11g

  Hi
  I have written custom scheduler task in OIM 11g which will retrieve values from database and call recon API's to create users in OIM.
  Database Table contains the following sample values
  FIRSTNAME:RECON
  LASTNAME:USER1
  USERLOGIN:RUSER1
  ORGANIZATION:Xellerate Users
  EMPLOYEE-TYPE:Full-Time
  I created Resource Object with the above recon attributes and mapped these attributes to OIM User Attributes and made userlogin as key attribute.
  I created Recon Rule as USER LOGIN equals userlogin and action rule as No Matches Found -> Create User
  Now I ran the job from UI and status is showing as Data Recieved only. It is not creating users.
  Below are the logs for the same.
  *<Jul 20, 2011 7:47:55 AM EDT> <Error> <oracle.iam.reconciliation.impl> <IAM-5010000> <Generic Error/Information: {0}*
  oracle.iam.platform.utils.SuperRuntimeException: java.sql.SQLIntegrityConstraintViolationException: ORA-02291: integrity constraint (OIM11GDB.FK_RECON_EVENTS_USR) violated - parent key not found
  ORA-06512: at "OIM11GDB.OIM_SP_RECONBLKUSERCRUD", line 759
  ORA-06512: at "OIM11GDB.OIM_SP_RECONBLKUSRMLSWRAPPER", line 71
  ORA-06512: at line 1
       at oracle.iam.reconciliation.dao.DBCall.execute(DBCall.java:24)
       at oracle.iam.reconciliation.dao.ReconActionDao.processSPCall(ReconActionDao.java:1316)
       at oracle.iam.reconciliation.dao.ReconActionDao.executeBulkUserMatchCRUD(ReconActionDao.java:686)
       at oracle.iam.reconciliation.impl.UserHandler.executeBulkCUD(UserHandler.java:568)
       at oracle.iam.reconciliation.impl.BaseEntityTypeHandler.process(BaseEntityTypeHandler.java:34)
       at oracle.iam.reconciliation.impl.ActionEngine.processBatch(ActionEngine.java:129)
       at oracle.iam.reconciliation.impl.ActionEngine.execute(ActionEngine.java:90)
       at oracle.iam.reconciliation.impl.ActionTask.execute(ActionTask.java:73)
       at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
       at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
       at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy364.onMessage(Unknown Source)
       at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
       at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
       at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:328)
       at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
       at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
       at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
       at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
       at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Pls Help.

  Hi Rajiv,
  Please see my comments below.
  Where is Design Console Access attributes ?I think no need to set value for this attribute as the default value will be End-User only. Correct me if I am wrong.
  Have you created Recon Rule properly ?yes
  Have you created Reconciliation Profile ?yes
  Call teh API porcessReconciliationEvent after createReconciliationEvent API.Is it mandatory to call processReconciliationEvent after createReconciliationEvent? The reason why I am asking is when I wrote scheduler for target recon I didn't used processReconciliationEvent.
  Thanks

• Request OID group access in OIM

  Hi All,
  I have OIM (11.1.1.5.2) and the OID Connector (9.0.4.14) installed. Is it possible for a user to request access to a specific group in OID using the OIM Self Service Console?
  Regards,
  user10233157

  Yes, This is possible. You need to create request dataset with Group details and import it to MDS.
  Sample Dataset for AD Resource is
  *<?xml version="1.0" encoding="UTF-8"?>*
  *<request-data-set xmlns="http://www.oracle.com/schema/oim/request" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/request" name="ModifyResourceAD User" entity="AD User" operation="MODIFYRESOURCE">*
  *<AttributeReference name="City" attr-ref="City" available-in-bulk="true" type="String" length="20" widget="text"/>*
  *<AttributeReference name="Pager" attr-ref="Pager" available-in-bulk="true" type="String" length="20" widget="text"/>*
  *<AttributeReference name="Group" attr-ref="UD_ADUSRC" available-in-bulk="true" type="String" length="500" widget="text">*
  *<AttributeReference name="Group Name" attr-ref="Group Name" available-in-bulk="true" type="String" length="500" widget="lookup" lookup-code="Lookup.ADReconciliation.GroupLookup" entitlement="true">*
  *</AttributeReference>*
  *</AttributeReference>*
  *</request-data-set>*
  Then in OIM Self Service console select Self Modify Provisioned Resource request type and you will see the OID Groups in the list of available groups to request.

• Problem while reconfiguring OIM 11g with existing Database

  Hello,
  I had some issues with my OIM 11g instance, so i reconfigured it by deleting user_projects folder,before deleting i took backup of config folder as i wanted to
  configure with existing database.
  Following steps were performed for reconfiguring OIM11g:-
  1)Ran config.sh from <Middleware>/Oracle_IDM1/common/bin
  2) Copied .xldatabasekey file to newly created domain
  3)Ran config.sh from <Middleware>/Oracle_IDM1/bin
  Then tried to start AdminServer, it showed status as running but with errors like
  java.lang.NoClassDefFoundError: Could not initialize class oracle.dfw.impl.common.TempFileManager
  at oracle.dfw.spi.portable.PortableDiagnosticsFrameworkProvider.init(PortableDiagnosticsFrameworkProvider.java:120)
  Then tried to start OIM server , it showed status as running but with error as
  oracle.iam.platform.utils.OIMAppInitializationException:
  OIM application intialization failed because of the following reasons:
  Password for .xldatabasekey is not seeded in CSF.
  Then i tried to cofigure domain again & this time i didnt select Oracle Identity Manager from Select domain source & checked AdminServer & it was running without any errors, but when i select Oracle Identity Manager from Select domain source then i get above problems.
  Can anyone provide pointers about how to resolve this issue .
  Thank-You
  Rahul Shah

  Dear Rahul,
  I got the same errors:
  ./admin/IDMDomain/mserver/IDMDomain/servers/wls_oim1/logs/wls_oim1.log
  ####<Jan 27, 2013 10:58:09 PM CET> <Error> <Deployer> <server02> <wls_oim1> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <aa66ef4907f1903f:4c6a3b0:13c7e03232f:-8000-0000000000000003> <1359323889050> <BEA-149205> <Failed to initialize the application 'oim [Version=11.1.1.3.0]' due to error oracle.iam.platform.utils.OIMAppInitializationException:
  OIM application intialization failed because of the following reasons:
  oim-config.xml was not found in MDS Repository.
  oracle.iam.platform.utils.OIMAppInitializationException:
  OIM application intialization failed because of the following reasons:
  oim-config.xml was not found in MDS Repository.could you explain, how did you sort out it, please? For example point 2 did you create one more domain?
  Best regards,
  Lain

• OIM 11g Installation: LADP Sync Problem

  I am trying to configure LADP sync with a OID/OVD on a separate machine then OIM. I have 4 vms. The first has oracle database. The second has OIM and SOA. The third has OAM and the admin server. OAM/OIM/SOA/admin all are in same domain. The fourth has OID/OVD in a separate weblogic domain. I have installed the databse and created all necessary schema. I installed and configured OID/OVD. I have also installed OIM/OAM/SOA/admin but am getting an error when running LDAPConfigPostSetup.bat
  [Enter OID admin password:]
  [Enter password for xelsysadm:]
  javax.security.auth.login.LoginException: unable to find LoginModule class: webl
  ogic.security.auth.login.UsernamePasswordLoginModule
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
  86)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
  80)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  at Thor.API.Security.LoginHandler.weblogicLoginHandler.login(weblogicLog
  inHandler.java:61)
  at oracle.iam.platform.OIMClient.login(OIMClient.java:134)
  at oracle.iam.platform.OIMClient.login(OIMClient.java:129)
  at oracle.iam.platformservice.utils.LDAPConfigPostSetup.<init>(LDAPConfi
  gPostSetup.java:130)
  at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigP
  ostSetup.java:91)
  Unable to get either LDAP, OIM connection and reason is:unable to find LoginModu
  le class: weblogic.security.auth.login.UsernamePasswordLoginModule
  The main thing I do not understand is how I'm supposed to start the OIM and OAM servers before running the pre and post configurations If I have not yet configured OIM server which is does not state to do. I tried to configure and run OIM without LDAP sync and I still get the same error.
  Any help would be greatly appreciated thanks in advance.
  Edited by: 792714 on Sep 3, 2010 10:12 AM

  dn: cn=OIM,cn=Products,cn=OracleContext
  changetype: add
  objectclass: orclContainer
  objectclass: top
  cn: OIM
  dn: cn=users,cn=oim,cn=Products,cn=OracleContext
  changetype: add
  objectclass: orclContainer
  objectclass: top
  cn: users
  dn: cn=groups,cn=oim,cn=Products,cn=OracleContext
  changetype: add
  objectclass: orclContainer
  objectclass: top
  cn: groups
  dn: cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
  changetype: add
  cn: oimadmin
  sn: Administrator
  givenname: Administrator
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  userPassword: %adminpwd%
  dn: cn=oimadmins,cn=groups,cn=oim,cn=products,cn=oraclecontext
  changetype: add
  objectclass: groupOfUniqueNames
  objectclass: orclPrivilegeGroup
  objectclass: top
  cn: oimadmins
  description: OIM administrator role
  uniquemember: cn=oimadmin,cn=users,cn=oim,cn=products,cn=oraclecontext
  dn: %searchbase%
  changetype: modify
  add: orclaci
  orclaci: access to entry by group="cn=oimadmins,cn=groups,cn=oim,cn=products,cn=oraclecontext" (add,browse,delete)
  orclaci: access to attr=(*) by group="cn=oimadmins,cn=groups,cn=oim,cn=products,cn=oraclecontext" (read,search,write,compare)
  dn: cn=changelog
  changetype: modify
  add: orclaci
  orclaci: access to entry by group="cn=oimadmins,cn=groups,cn=oim,cn=products,cn=oraclecontext" (browse)
  orclaci: access to attr=(*) by group="cn=oimadmins,cn=groups,cn=oim,cn=products,cn=oraclecontext" (read,search,compare)
  Did you try oimadmin and the password you set when you ran LDAPConfigPreSetup? That might work.

• Role creation in OIM 11.1.1.5.0 fails with LDAP Sync Enabled

  I am in the process of configuring LDAP sync for OIM 11.1.1.5.0 with ODSEE.
  At this time, when I add a user in OIM, I can see that the user gets created in LDAP under the LDAP dn that I supplied when configuring OIM (Configuration process screen name = "LDAP Server Continued", field name = "LDAP User Container")
  However when I try to add a role in OIM, the call fails. OIM server logs have the following exception message:
  <Jul 14, 2011 1:21:52 PM EDT> <Warning> <oracle.iam.callbacks.common> <IAM-2030146> <[CALLBACKMSG] Are applicable policies present for this async eventhandler ? : false>
  <Jul 14, 2011 1:21:53 PM EDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042002> <An error occurred while creating the entity in LDAP, and the corresponding error is - {0}
  javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
  null [Root exception is oracle.ods.virtualization.service.VirtualizationException]
  at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
  at oracle.ods.virtualization.jndi.OVDContext.createSubcontext(OVDContext.java:512)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.createSubcontext(LDAPUtil.java:1045)
  at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.create(LDAPDataProvider.java:487)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:291)
  at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:239)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.create(RoleCreateLDAPHandler.java:128)
  at oracle.iam.ldapsync.impl.eventhandlers.role.RoleCreateLDAPHandler.execute(RoleCreateLDAPHandler.java:46)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
  at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
  at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:664)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:435)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:381)
  at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:334)
  at oracle.iam.identity.rolemgmt.impl.RoleManagerImpl.create(RoleManagerImpl.java:188)
  at oracle.iam.identity.rolemgmt.api.RoleManagerEJB.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  Any idea whats going on?
  When configuring OIM, I provided a value for the "LDAP Role Container" as "ou=Groups,dc=mycompany,dc=com". The docs shown an example of "cn=groups, dc=mycountry, dc=com" (see http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/oidonly.htm#CDDDIAIC, step 18). Could this difference in container type be causing this problem?
  Any idea where OIM stores this container information if I wanted to test ldap sync with the different roles container?
  Thanks
  Aspi Engineer
  Putnam Investments

  Aspi,
  OIM keeps its ldap config under "$IDM_HOME/server/ldap_config_util" as "ldapconfig.props"
  Thanks,
  Sandeep Gupta

• OIM server - Enable LDAP sync

  Hi everyone,
  I'm currently working with OIM 11.1.1.5.0, and I have to integrate an Active Directory which is on a different machine. Problem is that I saw in the installation guide I had to enable LDAP Sync when I configured my oim server, but I didn't.
  So I would like to know if it's still possible to enable this option without deleting my current oim server and reinstall everything.
  Thanks,
  Thibault

  I found the solution ... http://docs.oracle.com/cd/E25054_01/doc.1111/e14308/ldapsync.htm
  Sorry for the post

• Where does OIM store the LDAP Sync URL

  Where does OIM store the LDAP URL which was specified when ldap sync is configured? Is it possible to change this URL?
  Thanks
  Aspi

  iTunes places the backup files in the following places:
  Mac: ~/Library/Application Support/MobileSync/Backup/
  Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
  Windows Vista: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

• OIM 11g R1 LDAP Synch with OID.

  Hi,
  We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?

  Here is some sample code configuration which may give you a start - hope it helps.
  Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
  HashMap<String, Serializable> parameters = orchestration.getParameters();
  Serializable param = parameters.get("act_key");
  String act_key = null;
  if (param instanceof ContextAware) {
  act_key = ((ContextAware) param).getObjectValue().toString();
  } else {
  act_key = param.toString();
  if (act_key != null) {
  OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
  Set<String> retAttrs = new HashSet<String>();
  retAttrs.add("Organization Name");
  Organization org = null;
  try {
  org = orgMgr.getDetails(act_key, retAttrs, false);
  } catch (OrganizationManagerException e) {
  } catch (AccessDeniedException e) {
  String orgName = (String) org.getAttribute("Organization Name");
  orchestration.addParameter("LDAP Organization Unit", orgName);
  Sample container mapping rule
  <rule>
  <expression>LDAP Organization Unit=Test Organization</expression>
  <container>ou=Test Organization,ou=users,o=org</container>
  <description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
  </rule>
  Sample change in /db/LDAPUser
  <!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
  <!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
  <!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
  <reconAttr>
  <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
  <reconColName>RECON_ACT_KEY</reconColName>
  <emDataType>number</emDataType>
  <formFieldType/>
  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
  </reconAttr>
  <reconAttr>
  <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
  <reconColName>RECON_ACT_KEY</reconColName>
  <emDataType>number</emDataType>
  <formFieldType/>
  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
  </reconAttr>

• Help needed in OIM 11g with respect to Target Recon

  Hi Experts,
  I have OIM 11.1.1.5.0 installed with AD Connector configured. We have 3 AD instances, so we have cloned the full AD Connector to "A_AD_RO User", "B_AD_RO User" and "C_AD_RO User" resourced with separate-separate Process defn, scheduled task, lookups and IT resource
  When I am doing target recon based on "emailID" as key from respective ID, the reconciliation events gets generated and I can see the event in Recon Manager with "No Match Found", even though the user with valid email id is present in the OIM.
  Once I do re-evaluate of reconciled user, the user target gets linked with the correct user.
  Problem: Everytime, I need to go to Recon Manager, and manually click on "Reevaluate Event", then only the target AD is getting linked to user.
  How to set it automatically?
  Has anyone faced this kind of issue?
  Any suggestion which I can apply to skip "Reevaluate Event" manually to link user with target.
  Regards,
  J
  Edited by: J_IDM on Mar 19, 2012 6:35 AM

  A few things to check.
  On the resource object, reconciliation tab. Check the recon action rules. The Entity Match is the one that matches a user to the target data if the user does not have an instance on their profile.
  Check your reconciliation rules. Make sure that you have a rule for each resource, and that it is in an active state. Also make sure the rule is a valid matching rule.
  For each resource workflow, there are configuration lookups. You must be VERY careful when cloning a resource to go through every lookup that is duplicated and make sure the values are all for the new resources.
  It sounds like you used the same adapters for every instance. This will cause a problem because there are hard coded form values in the adapter, so you will need to change those to have an input so you can specify the value for each instance. Otherwise, every provisioning task will look for the objectguid from the original workflow.
  There are lots of updates you must perform to make sure they work correctly during a clone.
  Once you have done all these, try and run your recons again, and make sure you wait till the recon completes so it processes the events in the correct bulk amounts.
  -Kevin

• How to provision users to diffrent OU in OIM 11g(OIM configured with LDAPS)

  HI All,
  we have a requirment to create users in diffrent OU in OID based on the type of the user.
  During user creation, if we select usertype as Employee then user should be created under OU=EMployee,dc=domain,dc=com, if we select usertype as Contractor then user should be created under OU=Contractors,dc=domain,dc=com. how do i configure this? i treid modifiying LDAP container rules, but it dint work, can you please help me on this.
  Thanks

  In addition to setting LDAP container rules, i had to create an eventhandler and use another field (locality name for example) to make this work. If you have more than one ldap container there is bug in OIM code becuase of which some containers don't get set. Meaning if you have one user type mapped to unique ldap container you will be fine with the suggestion above. If you have multiple user types mapped to one ldap container, and you have many such combinations some ldap containers don't get set. the following code worked for me:
       if (userRole != null) {
            if (userRole.equalsIgnoreCase("Full-Time Employee") ||
                                          userRole.equalsIgnoreCase("Part-Time Employee") ||
                                          userRole.equalsIgnoreCase("Consultant") ||
                                          userRole.equalsIgnoreCase("Internal System Accounts")) {
            userType = "Internal";
            } else if (userRole != null && userRole.equalsIgnoreCase("OIM System Accounts")) {
            userType = "System";
            } else {
            userType = "External";
       orchestration.addParameter("Locality Name", userType);
  Hope this helps,
  Prasad.

• OID Provisioning issue on OIM 11g

  Hi,
  I have ran the target user recon for OID and noticed from the events that users are not linked. I tried assigning OID User resource from the provisioning workflow on the admin console but I am seeing the following the issue:
  DOBJ.ORC_NO_ORDER
  An error occurred while retrieving process information null : null
  Please help.

  Hi
  Can you verify On your OID resource object in desing console 'Order For User' is chosen.
  Regards
  user12841694