Recon OID password to OIM

Similar Messages

• OID provisioning via OIM

  OID provisioning from OIM
  i have deployed and configured OID connector but users not provisioned to OID. it gives INVALID_NAMING_ERROR. what could be the possible reason.

  please check and reply :
  View IT Resource Details and Parameters
  IT Resource Name OID IT Resource
  IT Resource Type OID Server
  Port 389
  Use XL Org Structure false
  Last Trusted Delete Recon TimeStamp
  CustomizedReconQuery
  SSL false
  Server Address 10.76.118.72
  Recon Attribute Lookup Code AttrName.Recon.Map.OID
  Root DN dc=ad,dc=infosys,dc=com
  Admin Id cn=orcladmin,cn=Users,dc=ad,dc=infosys,dc=com
  Last Target Recon TimeStamp
  Last Target Delete Recon TimeStamp
  Last Trusted Recon TimeStamp
  Admin Password *********
  Prov Attribute Lookup Code AttrName.Prov.Map.OID

• Getting error in trusted recon from DB in oim 11g

  Hi,
  I am getting below error while running the trusted recon from DB in OIM 11g:
  [2013-12-25T23:27:33.033-08:00] [oim_server1] [ERROR] [] [oracle.iam.reconciliation.impl] [tid: OIMQuartzScheduler_Worker-7] [userId: oiminternal] [ecid: 0000KCGU85V2ZNK5qVCCyY1Ih5WC000002,1:21446] [APP: oim#11.1.2.0.0] Generic Information: {0}[[
  oracle.iam.reconciliation.exception.ReconciliationException: Exception occurred while inserting data into table RA_HRRECONTEMPROSS_GTC due to java.sql.SQLException: ORA-12899: value too large for column "IDAMPOC_OIM"."RA_HRRECONTEMPROSS_GTC"."RA_SERVICE_DT" (actual: 10, maximum: 7)
          at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl$1.process(ReconOperationsServiceImpl.java:429)
          at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl$1.process(ReconOperationsServiceImpl.java:407)
          at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
          at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
          at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
          at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
  Caused by: oracle.iam.platform.entitymgr.ProviderException: java.sql.SQLException: ORA-12899: value too large for column "IDAMPOC_OIM"."RA_HRRECONTEMPROSS_GTC"."RA_SERVICE_DT" (actual: 10, maximum: 7)
          at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:305)
          at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:241)
  Service date is a varchar field(VARCHAR 2 BYTE) in our trusted table. Its mapped to service date field in OIM 11g which is of type date.
  Please let me know if I need to change the field type in our trusted table.
  Note: The same configuration is working fine in OIM 9.x.
  Regards,
  Kalpana.

  Now, i went into IDM schema & altered date fields to VARCHAR2(30 CHAR) for all the date type attributes. Now, when I ran schedule job is worked fine and didnt got any errros. But now the trusted recon is not creating users. I dont know why users are not getting created. Can you please let me know which all things should be checked to make a recon a trusted recon so that it creates users.
  Thanks,
  Kalpana.

• Hiding Password in OIM user form

  Hi All,
  I am trying to Hide the userID and Password from OIM user (create user) form as I am using entity adaptor to generate these and I dont want to enter vague values. I am successful in hiding User ID field by modifying formMetaData.xml, however, I am not able to find anything for Password/Confirm Password fields.
  Please suggest.

  For each attribute reference, you can specify whether the field is:
  Viewable—By adding the attribute reference to the relevant section
  Editable—By specifying a value of TRUE or FALSE for the editable parameter
  Optional—By specifying a value of TRUE or FALSE for the optional parameter

• Migrating OID groups to OIM

  We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
  Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for authentication.
  We also use OID to hold users' entitlements/privileges that control access to our applications. We use OID groups (represented by entries based on groupOfUniqueNames and orclGroup objects) to do this. For example we might have an application called 'Finance' with three levels of access represented by OID groups e.g. 'finance_enquiry', 'finance_updater', 'finance_superuser'. Those groups would all belong to a parent group called 'finance_application'. To access the application the user needs to be a member of 'finance_application' group or one of its child groups. Access to features of the application are controlled by membership of the 3 child groups. We have an application that maintains groups, group membership, and user entitlements in OID.
  As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above scenario seems quite basic.
  My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table in OIM? Are there any case studies or other documentation that describes this kind of requirement?
  I've looked at the OIM Connector for OID documentation but it doesn't describe typical scenarios. It assumes that you know what you are doing.
  We also want to give users the ability to request entitlements, and to provide an approval process. So we could have a user who approves/rejects entitlement requests to access to the applications they control. But that's a another topic.
  Cheers,
  Eric

  PeachEye wrote:
  We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
  As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above > scenario seems quite basic.You're about to find out otherwise.
  >
  My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table > in OIM? Are there any case studies or other documentation that describes this kind of requirement?You'll need a custom connector and lots of OIM tweaks. Your groups will stay in OID, OIM will replace the current application you use to maintain them. That's one way of doing it, no impact to OID schema is the benefit of this way, there are other ways.

• How to install OID connector using OIM API in 11g?

  Hi All,
  We are using OID connector in OIM 11g environment. It is a simple process to install OID connector by unzipping the connector zip file to ConnectorDefaultDirectory and goto Admin console and load the connector.
  However, we are looking for API methods to simulate "load the connector " step in GUI.
  Please help.
  Thanks
  Mahendra.

  Hey Mahendra,
  I am not aware of this API to do the 'Deployment Manager' load task. But III try to help you using another way:
  1-You can use ICF API to do this task(creating it specifically to OID). Using ICF: http://www.groenenberg.nu/Oracle_Doc/AS_11.1.1.5/doc.1111/e14309/icf.htm#BABFDJHJ
  2- And following this example that my buddy did for Open DS: http://itnaf.org/2011/12/30/developing-icf-connectors/
  Another helpful doc: http://docs.oracle.com/cd/E14571_01/doc.1111/e14309.pdf
  I hope this helps,
  Thiago Leoncio.

• OID, OVD, OIF, OIM, OAM version

  Hey guys, I wanted to know if there is some commands that would give me the versions of OID, OVD, OIF, OIM, OAM
  Weblogic version can be found by connecting to the console at the bottom of the page: e.g:
  "WebLogic Server Version: 10.3.3.0
  Copyright © 1996,2010, Oracle and/or its affiliates. All rights reserved."
  However, for specific product, I'm not sure if there is a way to know the version. Is there a version.property file or a command that can help me ?)
  In case of OID, OVD:
  - opmnctl services version
  - odsm version
  In case of OIF:
  - opmnctl services version
  - oif version
  In case of OAM:
  - version of identity server
  - version of access server
  - version of webgate
  In case of OIM:
  - version of OIM
  Thank you for your help.

  for OID-Step1-Make Sure DB is up and running
  Run: prompt> tnsping <connect string>
  Step2-Make sure OID processes are up
  Prompt>$ORACLE_HOME/bin/oidctl connect=<servicename from tnsnames.ora> status
  -Once u run above comnd u could see processes and ver
  for OIA-Once u complete installations Open rbacx.log for versin info
  thnks
  vishwa
  orcl

• OID Passwords

  Hi
  We are planning to import our existing user data into OID including passwords. Our passwords are currently a customized version ( we convert a 16bit encoded MD5 hashes into a long integer). According to Oracle support, OID supports only 64bit encoded MD5 hashes. I have a utility that can convert from 16bit to 64bit hashes. But the problem. is to is convert the customized password into the 16bit encoded hash first which seem to be turning into an impossible task. My question is is there a way we can implement our customized version of hashing into SSO login functionality so that the hash created from the login method will match with the OID password.
  We also wanto to restrict sections of our site by defining rules in mod_osso.conf so that only certain groups of users can access them. (If they try to access those sections, they will have be redirected to login page). My question is that - we also have explicit login functionality on the site and we have are developing a custom login.jsp page. My question is - can we make this explicit login.jsp and the login.jsp that gets invoked by SSO same???
  Thanks a lot
  Krishna

  Hi
  We are planning to import our existing user data into OID including passwords. Our passwords are currently a customized version ( we convert a 16bit encoded MD5 hashes into a long integer). According to Oracle support, OID supports only 64bit encoded MD5 hashes. I have a utility that can convert from 16bit to 64bit hashes. But the problem. is to is convert the customized password into the 16bit encoded hash first which seem to be turning into an impossible task. My question is is there a way we can implement our customized version of hashing into SSO login functionality so that the hash created from the login method will match with the OID password.
  We also wanto to restrict sections of our site by defining rules in mod_osso.conf so that only certain groups of users can access them. (If they try to access those sections, they will have be redirected to login page). My question is that - we also have explicit login functionality on the site and we have are developing a custom login.jsp page. My question is - can we make this explicit login.jsp and the login.jsp that gets invoked by SSO same???
  Thanks a lot
  Krishna

• Disabling OID Password Policy

  Hi,
  I had a problem of OID password expiry due to the default password policy expiry of 60 days. I resolved the issue using oidpwd utility and using Oracle Directory Manager (ODM). Now I want to change the password policy settings. Here I've a doubt that
  ,instead of changing the policy whether is it possible to disable the password policy. I found one option in the ODM->Password Policy management' --> Cn=PWDPolicyEntry , in the General tab, Password Policy ENABLE/DISABLE in a list box.
  Could anyone please explain what would happen if i select 'DISABLE' to disable the password Policy?

  Post in the OID forum... the lads there will help you.

• Allowed set of characters for user name and password in OIM 11g

  Hi,
  Can anyone provide us quickly what is the characters (no.s,alpahbets,special symbols) that are supported for username and password field in OIM 11.1.1.5 ?
  Thanks,
  Karthik

  Read it , it is general for OIM 11g
  http://docs.oracle.com/cd/E14571_01/relnotes.1111/e10132/oim.htm#CHDFFDGH

• Queuing/Retrying 'Rejected' status OID Process Tasks: OIM-OID provisioning

  Hello Gurus,
  I have already up and running environment with OIM, OID connector pack and OID as the target system. So when a user data (for e.g. a UDF) is being provisioned from OIM to OID target system; if a process task comes back with 'rejected' status due to target unavailability/OID down; then is there any settings that we can configure within OIM design console that queues up and retries these 'rejected' tasks related to each individual user?
  Is there any setting within any of the OID lookups such that we can set a retry count for such process tasks?
  The goal is without human intervention all these 'rejected' process tasks should run successfully and be set to 'completed' status. If the target system is unavailable then there should be a way to run all these failed tasks - is my assumption.
  Is it by anyway related to 'Offline Provisioning'?
  Please provide some guidelines.
  Thanks,
  - oidm.
  Edited by: oidm on Mar 16, 2010 10:34 PM

  But it'll only allow us to 'retry' those specific tasks for a limited number of times and limited period of time. And will this task be retried only if its 'rejected' or it'll be retried for whatever number of times we specified?
  What if the target system doesn't come up for the whole day? Can we specify some value for the same in 'Duration' fields?
  So all in all if we talk about retrying the failed/rejected tasks we just have these options in hand as far as task 'status' is concerned?
  Thanks,
  - oidm.

• IFS - iPlanet to OID Password Synchronization

  Hello Everybody,
  I have a very specific requirement. May be somebody can help me on this. I am having iFS running with OID (Oracle Internet Directory) for my iFS Users. I also have iPlanet Directory in my network which has all my users. iPlanet Users access their email from iPlanet email. I want to synchronize the iPlanet User Passwords with iFS passwords. The synchronization should be one-way i.e. from iPlanet to OID. iPlanet stores user passwords in the userPassword attribute. OID also stores user passwords in the userPassword attribute. iFS stores user Passwords in the authPassword attribute which is generated automatically from userPassword attribute. Whenever the userPassword attribute is update the authPassword attribute gets updated automatically. I can take the encrypted userPassword attribute from iPlanet and update the userPassword attribute as is in OID, but this doesnot regenerate the authPassword. Therefore, the new password change does not take affect.
  Can anybody help me with a way by which I can syncrhonize user passwords from iPlanet to OID (specifically for iFS). The technical reason why authPassword is not updated when you put a hashed password in userPassword attribute is because, you cannot generate a hash from a hash.
  Thanks in advance.

  Dip synchronizes all fields except password. You need to have Oracle password filter which run independently to sync the password from AD to OID. Refer document here:
  http://www.freeoraclehelp.com/2011/09/oracle-password-filter-to-sync.html
  regards,
  GP

• Changing the password for OIM Database User

  We need to change the password of the database user that created and user to run the prepare_xl_db.sh. I changed the <password encrypted="true"> to "false" and modified the password in the xlconfig.xml and restarted the app server but I can't log in. I get the below error. - what else is needed?
  ERROR,30 Oct 2008 09:31:56,265,[XELLERATE.SERVER],Class/Method: XLJobStoreCTM/initialize encounter some problems: Error while connecting to Database. Please check if DirectDB settings are correct in Xellerate configuration file.
  FATAL,30 Oct 2008 09:31:56,265,[XELLERATE.SCHEDULER],QuartzSchedulerImpl constructor Exception
  org.quartz.SchedulerConfigException: Failure occured during job recovery. [See nested exception: org.quartz.JobPersistenceException: Failed to obtain DB connection from data source 'noTXDS': org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (ORA-01017: invalid username/password; logon denied
  ) [See nested exception: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (ORA-01017: invalid username/password; logon denied
       at org.quartz.impl.jdbcjobstore.JobStoreSupport.initialize(JobStoreSupport.java:429)
       at org.quartz.impl.jdbcjobstore.JobStoreCMT.initialize(JobStoreCMT.java:131)
       at com.thortech.xl.scheduler.core.quartz.XLJobStoreCTM.initialize(Unknown Source)
       at org.quartz.impl.StdSchedulerFactory.instantiate(StdSchedulerFactory.java:753)
       at org.quartz.impl.StdSchedulerFactory.getScheduler(StdSchedulerFactory.java:885)
       at com.thortech.xl.scheduler.core.quartz.QuartzSchedulerImpl.initialize(Unknown Source)
       at com.thortech.xl.scheduler.core.quartz.QuartzSchedulerImpl.<init>(Unknown Source)
       at com.thortech.xl.scheduler.core.quartz.QuartzSchedulerImpl.getSchedulerInstance(Unknown Source)
       at com.thortech.xl.scheduler.core.SchedulerFactory.getScheduler(Unknown Source)
       at com.thortech.xl.scheduler.deployment.webapp.SchedulerInitServlet.startScheduler(Unknown Source)
       at com.thortech.xl.scheduler.deployment.webapp.SchedulerInitServlet.init(Unknown Source)
       at com.evermind.server.http.HttpApplication.loadServlet(HttpApplication.java:2371)
       at com.evermind.server.http.HttpApplication.findServlet(HttpApplication.java:4824)
       at com.evermind.server.http.HttpApplication.findServlet(HttpApplication.java:4748)
       at com.evermind.server.http.HttpApplication.initPreloadServlets(HttpApplication.java:4936)
       at com.evermind.server.http.HttpApplication.initDynamic(HttpApplication.java:1145)
       at com.evermind.server.http.HttpApplication.<init>(HttpApplication.java:741)
       at com.evermind.server.ApplicationStateRunning.getHttpApplication(ApplicationStateRunning.java:414)
       at com.evermind.server.Application.getHttpApplication(Application.java:570)
       at com.evermind.server.http.HttpSite$HttpApplicationRunTimeReference.createHttpApplicationFromReference(HttpSite.java:1987)
       at com.evermind.server.http.HttpSite$HttpApplicationRunTimeReference.<init>(HttpSite.java:1906)
       at com.evermind.server.http.HttpSite.initApplications(HttpSite.java:643)
       at com.evermind.server.http.HttpSite.setConfig(HttpSite.java:290)
       at com.evermind.server.http.HttpServer.setSites(HttpServer.java:270)
       at com.evermind.server.http.HttpServer.setConfig(HttpServer.java:177)
       at com.evermind.server.ApplicationServer.initializeHttp(ApplicationServer.java:2493)
       at com.evermind.server.ApplicationServer.setConfig(ApplicationServer.java:1042)
       at com.evermind.server.ApplicationServerLauncher.run(ApplicationServerLauncher.java:131)
       at java.lang.Thread.run(Thread.java:595)
  * Nested Exception (Underlying Cause) ---------------
  org.quartz.JobPersistenceException: Failed to obtain DB connection from data source 'noTXDS': org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (ORA-01017: invalid username/password; logon denied
  ) [See nested exception: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (ORA-01017: invalid username/password; logon denied
  )]

  During oim installation datasources are created to access the database.
  So when you change the password for the database user you have to adjust the password in the datasources.

• Unlocking OID User Through OIM

  Hi all,
  I am testing an OID User Process task in OIM which can be run on a user's OIM account and unlock a locked user in OID
  However, I am getting the following error after executing the task:
  ERROR 11:54:51,375, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ERROR in OID:com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:modifyAttributesReplace(S,A) NamingExceptionUnable to add attributes of the object
  ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - [LDAP: error code 53 - Account Policy Error :9051: GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-replace are not allowed.
  ERROR 11:54:51,376, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ERROR in com.thortech.xl.integration.OID.tcUtilOIDUserOperations:modifyUser(S,S,S,S) NamingExceptionError while connecting to target
  ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,377, RMICallHandler-113 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperationsNamingException[LDAP: error code 53 - Account Policy Error :9051: GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-replace are not allowed.
  ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - ====================================================
  ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperationsNamingException[LDAP: error code 53 - Account Policy Error :9051: GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-replace are not allowed.
  ERROR 11:54:51,378, RMICallHandler-113 XL_INTG.OID - ====================================================
  DEBUG 11:54:51,378, RMICallHandler-113 XL_INTG.OID - com.thortech.xl.integration.OID.tcUtilOIDUserOperations:modifyUser(S,S,S,S) Returning with code: INVALID_NAMING_ERROR
  I am using the adapter adpOIDMODIFYUSER to update the orclpwdaccountunlock attribute to 1.
  Not sure if this is a correct method. Any ideas would be appreciated :)

  Bbagaria: OIDDAS is not enabled in our environment. However, I can unlock the user in OID using ldapmodify
  ldapmodify -p 636 -h **** -D "cn=orcladmin" -w *** -v -f /home/oracle/unlock.ldif
  dn: cn=JENZO,ou=***,dc=***,dc=***,dc=***
  changetype: modify
  add: orclpwdaccountunlock
  orclpwdaccountunlock: 1
  Rajiv: I did try that. Same results unfortunately.

• Error While unlocking OID Password

  Hi,
  E:\ofm\infra\BIN>oidpasswd connect=orcli unlock_su_acct=TRUE
  OID DB user password:
  ERROR * gsldpuUnlockSuAccount * ORA-12154:ORA-12154: TNS:could not resolve the
  connect identifier specified encountered
  Error in unlocking OID super user account.
  I have two databases "orcl" and "orcli", both are working fine from SQL prompt,
  but when i try to unlock the OID account, im prompted with "ORA-12154: TNS:could not resolve the
  connect identifier specified encountered"
  Please Help.
  Regards,
  - Sri

  Check E:\ofm\infra\network\admin\tnsnames.ora (or another location, if you use TNS_ADMIN) to see if it contains the orcli entry.
  If it does, check the sqlnet.ora in the same directory to see if it contains a default_domain (it will not).
  Use the fully specified orcli entry (that is, with the domain - e.g. everything "after the dots")