• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)

    Posted by "" in "identity_manager, idm, im, integration, oam, oid, OIM" on 2010-12-29

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    This is part VIII of step by step installation of Oracle Identity Management (OAM, OIM, OAAM, OAPM & OIN) which covers configuring  LDAP Sync with OIM 11g.

    LDAP Sync with OIM 11g  :  OIM will sync users to LDAP (OID in this case) . OIM LDAP Synchronization will use OVD/OID to synchronize users from OIM to OID. LDAP Sync is mandatory for integration of Oracle Identity Manager (OIM) with Oracle Access Manager (OAM) .

    • For Part I Download Software and create Schema click here
    • For Part II Install WebLogic Server 10.3.3  click here
    • For Part III Install SOA Server and Upgrade to 11.1.1.3 click here
    • For Part IV Install IDAM 11.1.1.3 click he
    • For Part V Create Domain for OIM, OAM, OAAM, OAPM & OIN here
    • For Part VI Configure Identity Manager click here
    • For Part VII Configure OIM Design Console click here

    .
    Requirement : OIM (11g R1) LDAP Sync requires Oracle Virtual Directory (OVD) and Oracle Internet Directory.  (In this release of OIM, LDAP sync is limited to OID server)

    What happens when you configure LDAP Sync in OIM 11g ? – Configuration process creates schema (objectclass) in OID for OIM & OAM. It also creates a IT Resource in OIM which will automatically synchronize user in OID when you create/modify/delete user in OIM.

    .

    High Level steps for LDAP Sync configuration with OIM

    1. Run LDAP Pre Configuration Setup (on OIM Server)
    2. Create two adapters in OVD (on OVD via ODSM)
    3. Run LDAP Post Configuration Setup (on OIM Server)

    .

    OIM LDAP Sync configuration

    1. Run LDAP Preconfiguration Utility

    1.1
    Edit $OIM_ORACLE_HOME/server/ldap_config_util/ldapconfig.props and add OIMProviderURL, OIDURL, OIDAdminUsername, OIDSearchBase, UserContainerName, RoleContainerName, ReservationContainerName

    ReservationContainerName - This is container name in OID in which users will stay who are created but not approved in OIM (once they are approved they will be moved to container represented by UserContainerName)
    1.2 Set WL_HOME & JAVA_HOME

    1.3 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPreSetup.sh (when prompted enter password of orcladmin)

    Above command will
    a) Extend OID schema using (More on OID Schema here )
    i) oimadminuser.ldif, oimcontainers.ldif from $ORACLE_HOME/server/ldap_config_util
    ii)  OID_oblix_schema_add.ldif, OID_oblix_schema_index_add.ldif, OID_oblix_pwd_schema_add.ldif from $ORACLE_HOME/oam/server/oim-intg/schema/  (Oblix Schema extenstion is required for OIM integration with OAM)

    b) Create user oimadmin under cn=oim,cn=products,cn=oracleContext

    ____________

    2. Create two LDAP adapters in OVD

    To know more about adapters in OVD click here

    2.2 Create adapter of type user_OID

    2.2.1 Login to ODSM to connect to OVD (If you have installed OVD with default settings then use SSL port 8899 for OVD). More on ODSM here
    2.2.2 Select Adapter tab in ODSM
    2.2.3 Click Create Adapter button
    2.2.4 In new Adapter Wizard select
    Adapter Type : LDAP
    Adapter Name : userOID
    Adapter Template : user_OID
    .

    .
    Add OID details under connection details (3060 is OID Port and 192.168.1.75 is OID Server IP)

    .
    Naming Space : dc=com (Realm Name aka OID domain in my case is com – Change this as per your OID settings)
    .
    .
    2.3 Create Adapter of type changelog_OID
    2.3.1 Select Adapter tab in ODSM
    2.3.2 Click Create Adapter button


    .
    2.3 Change plug-in value (oamEnabled) of userOID adapter from false to true

    2.3.1 From ODSM login to OVD -> Select Adapter -> select userOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change value of oamEnabled from false to true -> click OK -> Click Apply
    .

    .

    2.4 Add/Modify plug-in parameter for changelogOID adapter

    2.4.1 From ODSM login to OVD -> Select Adapter -> select changlogOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change/Add value of parameter as shown below -> click OK -> Click Apply

    directoryType – oid
    mapAttribute – targetGUID=orclGUID
    requiredAttribute – orclGUID
    addAttribute – orclContainerOC,changelogSupported=1
    modifierDNFilter – cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
    sizeLimit – 1000
    targetDNFilter – dc=com   (Change this value as per your OID realm/domain)
    mapUserState – true
    oamEnabled – true

    .
    ___________
    3. Configure OIM for LDAP Synch
    3.1 Run $ORACLE_HOME/bin/config.sh
    3.2 Select OIM Server, follow post here  with exception of step 6 of 9

    .

    6501 is OVD’s non SSL LDAP Port .

    .

    Realm/domain for OID in my case is dc=com  (change this value as per your OID realm)
    .

    .
    _________________

    4. Run LDAP Post-Configuration Utility

    4.1 Set WL_HOME & JAVA_HOME
    4.2 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh (when prompted enter password of orcladmin & OIM Administrator i.e. XELSYSADM – OIM Managed Server oim_server1 should be running)

    You should see message like “Succesfully Update Changelog based schedule jobs with change number : XXXX”
    ________________

    5. Test LDAP Sync configuration
    5.1 Login to OIM Administration Console (http://oimserver:14000/oim) and create a user
    5.2 Login to OID via ODSM and check if this user is synchronized to OID
    I encountered two issues while running LDAPConfigPostSetup.sh

    Error 1 :

    ____________
    javax.security.auth.login.LoginException: unable to find LoginModule class:
    weblogic.security.auth.login.UsernamePasswordLoginModule        at
    javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)        at
    javax.security.auth.login.LoginContext.access%content0(LoginContext.java:186)        at
    javax.security.auth.login.LoginContext.run(LoginContext.java:683)        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java
    _____________

    Fix 1 : Create wlfullclient.jar  . More information here
    .
    .

    Error 2:
    __________
    java.lang.NullPointerException
    at oracle.iam.platformservice.utils.
    LDAPConfigPostSetup.updateLDAPSync
    ScheduleJobs(LDAPConfigPostSetup.java:168)
    at oracle.iam.platformservice.utils.LDAPConfig
    PostSetup.main(LDAPConfigPostSetup.java:95)
    __________

    Fix 2 : Make sure that OIM is configured with LDAP Sync option (Follow step 3) before running LDAPConfigPostSetup.sh

    .

    References/Related

    .

    Related Posts for IdM


    1. Oracle Identity & Access Management II
    2. Upgrade Oracle Internet Directory/IdM Suite to 10.1.4.2
    3. Oracle Launches Oracle Access Management Suite
    4. Installing Oracle Fusion Middleware (FMW) 11g – Identity Management Components (OID, DIP, OVD, OIF)
    5. Oracle Identity Management Products – OID, OVD, OAM, OIM, ORM, OWSM, OIF, eSSO, OES, OAAM
    6. #OracleIdM 11g webinar : Is this for OAM (Oracle Access Manager) & OIM (Oracle Identity Manager) 11g ?
    7. Installing Oracle Identity Management (OIM & OAM) 11g R1 PS2 (11.1.1.3) : High Level Steps
    8. #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0) – Part I : Load Schema
    9. Part II – Install WebLogic 10.3.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
    10. Part III – Install SOA 11.1.1.2 & Upgrade to 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
    11. Part IV – Install IDAM 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
    12. Part V : Create Domain : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
    13. Part VI : Configure Identity Manager (OIM) : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
    14. Part VII : Install & Configure OIM Design Console : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
    15. OAM 11g / OIM 11g High Availability (Active / Active) Architecture Documentation
    16. Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)
    17. Looking for Technical Reviewer for Oracle Identity & Access Management Book (OIM/OAM Administration)
    18. My Book “Oracle Identity & Access Manager 11g for Administrators” is now available in RAW format
    19. Install Oracle Identity Management (OIM/IDM) 11.1.1.4 – OID / OVD / OIF : High Level Steps
    20. Oracle IDentity & Access Management (OAM, OIM, OAAM & OES) 11.1.1.5 is available now : 12575064
    21. Password Policy in OAM-OIM-OID Integration : User not locked after configured value
    22. IdmConfigTool : OIM/OAM/FusionApps Integration – preConfigIDStore, prepareIDStore, configOAM, configOIM
    23. Autologin failed in OIM/OAM Integration after password reset SSOAccessKey javax.security. auth.login. LoginException
    24. OIM 11.1.1.5 BP02 (13399365) and OAM 11.1.1.5 BP02 (13115859)
    25. Confused about Oracle IAM software version & release number ?
    26. Oracle Identity Management 11g R2 #oracleidm : Webcast
    27. Oracle Identity Management 11g R2 documentation now available
    28. Oracle Identity & Access Management 11gR2 Software is now available to download
    29. Oracle Identity & Access Management 11gR2 : Installation & Configuration in 12 Steps
    30. OIM-OAM-OAAM integration using TAP – Request Flow you must understand !!
    31. Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts
    32. User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM is not locked in OIM
    33. Oracle IAM 11gR2 PS2 (11.1.2.2) is now available : Software download & Documentation
    34. Oracle IAM 11.1.2.2 Certification Matrix – Supported JDK, WebLogic, OS

    126 Responses to “Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)”

    1. Kishore Rout says:

      Hi Atul,
      During OIM configuration step using the above procedure I got an error(LDAP Error-21,for attribure userPassword has no value-uid:xelsysadm). Do you have any idea about this error.

    2. Atul Kumar says:

      @ Kishore,
      At which stage in above post you are hitting this error ?

    3. Kishore Rout says:

      Hi Atul,
      Thanks for your reply. I have already done OIM configuration without LDAP sync. Now again I am trying to do LDAP sync. In the last step(last screen shot of the above post), when I am pressing configure button, after some time I am getting this above error.

    4. Atul Kumar says:

      @ Kishore,
      Did you supply xelsysadm password while reconfiguring OIM as mentioned in below post

      http://onlineappsdba.com/index.php/2010/08/23/part-vi-configure-identity-manager-oim-oracleidm-11g-step-by-step-installation-of-oam-oim-oaam-oapm-oin/

      Enter XELSYSADM password same as password used during first configuration.

    5. Kishore Rout says:

      Hi Atul,
      The step I am doing for LDAP SYNC:
      1. Run $ORACLE_HOME/bin/config.sh
      2. Select OIM Server
      But in step 5, It’s not asking me OIM Administrator password and Confirm password. Those two fields are not coming on the screen only three fields are coming(OIM URL,keystore password and confirm password) . I think during second execution of the config.sh file, it’s checking OIM admin passowrd from some file, that’s why it’s not showing password field on the screen. Can I remove ../config/fmwconfig/.xldatabasekey before start of the config.sh in the 2nd time.
      Please advise.

    6. Atul Kumar says:

      @ Kishore Rout,
      I don’t think removing .xldatabasekey is going to help.

      Try restarting admin Server and make sure OIM_server1 is down.

      XELSYSADM user is stored in USR table under colum usr_login in OIM schema.

    7. Kishore Rout says:

      Hi Atul,
      As suggested by you(restarting Admin server and OIM_server1 is down) I have done reconfiguration. But no luck, it’s not asking OIM Administrator’s password in step 5. I have checked backed log file,reconfiguration OIM server is upgrading the previous configration. so It’s not asking password. Any how thanks for your suggestion. I think the issue is with encryption of OIM schema.

    8. jaffadog says:

      Hello Atul – I’m puzzling over what options I have to get passwords into OIM when doing a new OIM deployment and reconciling existing/mature AD and OID directories into OIM. I have not tried it yet, but I gather passwords can’t be reconciled into OIM because they are stored one-way-hashed in the source directories. I gather there are two choices here: 1. administratively assign default new passwords to all accounts imported into OIM (and communicate these new passwords to the users); or 2. harvest the change password events using the AD pw-sync adapter and some custom change password screen for OID. Does the sync you describe above improve on these choices and provide a native solution to sync OID passwords into OIM? Are there any other approaches?

    9. Atul Kumar says:

      @ jaffadog,
      What is version of your OID ? In 10g OID passwords were encrypted (possible to decrypt) where as in OID 11g they are one way hashed .

      For AD did you look at AD password Synchronization connector at http://download.oracle.com/docs/cd/E11223_01/doc.910/e11218/overview.htm

      How is OIM configured with both OID & AD – Reconciliation (Target resource reconciliation or Trusted Source Target resource reconciliation) or Provisioning ?

    10. jaffadog says:

      Hello Atul,

      It’s OID 10.1.2 – so reversible encryption? Is there a utility? or java class? published api? standard passphrase?

      I’ve looked at the AD password sync connector and plan to deploy it. The downsides here are: 1. that it’ll take 90 days (the AD password expiry policy) to harvest passwords for all the active accounts; and, 2. it has to be installed on the domain controllers (>40) and they each need to be restarted – which may well take a couple weeks in planning, change control, communication, etc… But I think I need it for the long-run.

      I gather OIM the self-service “change password” facility will be non-functional until OIM gets the user passwords, right? this facility authenticates the current password against OIM, right? This is one of the drivers – as it appears this introduces an artificial wait period in the deployment schedule – we cant deploy OIM change-password until OIM has account passwords, and OIM passwords take 90 days to harvest from AD.

      The intent is to initially reconcile OIM with AD and OID – to import all the existing accounts. Then switch to having OIM provision OID and AD as targets. Accounts would then be created manually (using OID), or by self-registration (using OID), or by trusted source reconciliation (HR database).

    11. alexm says:

      Hello Atul!

      I have faced with problem like this:
      http://forums.oracle.com/forums/thread.jspa?messageID=9317673

      The user user12107187 could solve a problem, but I can’t get file LDAPContainerRules.xml with WSLT and exportMetadata. I don’t know parameters for this. Help me, please!

    12. Atul Kumar says:

      @ alexm,
      This file is stored in database under MDS

      First go through these two links

      http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/cust_ldap.htm LDAP Container Rules

      http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/utils.htm – MDS Utilities and User Modifiable Metadata Files

      and then revert back if you still have doubts (read second link carefully)

    13. alexm says:

      Thank you, Atul!

      I have checked up file LDAPContainerRules.xml – it’s valid. And I still have a problem. I have uploaded log file here: http://www.megaupload.com/?d=P6GQW8NV

      I think that the problem is similar with described in the Metalink Note ID 1094593.1, because I have found this strings at the end of java errors stack:

      Caused by: java.lang.IllegalArgumentException: Null input buffer
      at javax.crypto.Cipher.doFinal(DashoA13*..)
      at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.decrypt(tcDefaultDBEncryptionImpl.java:219)
      at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:100)
      at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:127)
      at com.oracle.oim.gcp.pool.ConnectionServiceUtility.getITResourceDetails(ConnectionServiceUtility.java:654)
      at com.oracle.oim.gcp.pool.ConnectionServiceUtility.getITResourcePoolConfig(ConnectionServiceUtility.java:413)
      at com.oracle.oim.gcp.pool.ConnectionServiceUtility.getPoolConfiguration(ConnectionServiceUtility.java:65)
      at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:38)
      at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:176)
      at oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResourceRepository.java:34)

      In schema DEV_OIM in table SVP some values for column SVP_FIELD_VALUE are secured, some are not.

    14. Atul Kumar says:

      @ alexm

      In my view you issue is different from 1094593.1.

      Check Note 1272682.1 How to Setup LDAP Sync After Install in OIM 11g and go to step 5 i.e. 5. Seed LDAP reconciliation scheduled Jobs to OIM Database.

      Though this step in not required as we want provisioning and reconciliation but this give it a try and see if this fixes your issue. #

      Raise an Service Request with OIM team in parallel.

    15. […] Integrate OIM 11g with OID using connector for Provisioning / Reconcilliation – Installation Posted in February 16th, 2011 byAtul Kumar in OIM, identity_manager, oid  Print This Post This post covers installation of Oracle Identity Manager (OIM) connector to provision or reconcile users to/from Oracle Internet Directory (OID). There is another way to integrate OIM 11g with OID 11g using Oracle Virtual Directory (OVD) which is LDAP Sync . […]

    16. mregoeng says:

      I have a query regarding this LDAP sync.

      In the configuration you are asked to provide a container for where the users will be stored in OID after being approved in OIM, say Cn=Users, but what if you have cn=Finance,cn=Users, dc=com and cn=HR,cn=Users,dc=com and you want to dynamically place users in either of these OUs based on their attributes propagated from OIM.

      I saw somewhere in the documentation where it talks about rules in OIM to allow you to do this if im not mistaken. Is it possible to dynamically determine users’ OUs leveraging this LDAP sync mechanism?

      Cheers

    17. Atul Kumar says:

      @mregoeng,

      Oracle Identity Manager calls a plug-in that implements the oracle.iam.ldapsync.LDAPContainerMapper interface. All the attributes of the user/role are passed to the plug-in, and plug-in returns the Domain Name (DN) of the LDAP container in which user/role is created.

      To achieve your requirement
      1. Export /db/LDAPContainerRules.xml from MDS
      2. Add expression based on user attribute under container rules as mentioned in link below
      3. Import /db/LDAPContainerRules.xml to MDS

      check link http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/cust_ldap.htm#

    18. mregoeng says:

      Fantastic…Thanks for the enlightenment.

      I will let you know how my mini development goes.

    19. TCarlson says:

      Well… you have helped us get to this point, thank you.

      We have in the past installed IDM 11.1.1.2 with OAM 10.1.4.3. Within that installation process, OID, OVD, etc were installed within the IDM installation (ofm_idm_linux_11.1.1.2.0_64_disk1_1of1.zip) and then OAM was installed separately.

      Within this install, IDM and OAM are installed using the same zip — ofm_iam_generic_11.1.1.3.0_disk1_1of1.zip. When do OID and OVD get installed when creating a new install? I think I missed a step somewhere….

    20. Atul Kumar says:

      @ TCarlson,

      In Oracle Identity Management 11g there are two softwares

      1. Identity Management (covers OID, OIF, OVD) – This is 11.1.1.2 as base version and 111.1.1.3 and 11.1.1.4 are patchset (patchset can be applied on top of base). You can directly go from 11.1.1.2 to 11.1.1.4

      2. Identity and Access Management (covers OAM, OIM, OIN, OAAM, OPM) –
      This is 11.1.1.3 as base version , I have not seen 11.1.1.4 patchset for this product yet.

      Do let me know if this is what you were looking for

    21. TCarlson says:

      Before running the LDAPConfigPreSetup.sh, all the processes oid, ovd, ohs were starting via opmnctl. I am not sure LDAPConfigPreSetup is related or just coincidence, but ovd no longer starts which means I cannot create the OVD connection in ODSM or and OVD adapters.

      The console~ovd1~1.log has the following:

      ——–
      11/03/09 08:29:15 Start process
      ——–
      OpmnIntegrator: Register Ping callback.
      OpmnIntegrator: Register Reload callback.
      OpmnIntegrator: Register Stop callback.
      Exception in thread “main” java.lang.NoClassDefFoundError: oracle/security/xmlsec/util/Base64
      at oracle.security.jps.internal.common.util.JpsCommonUtil.(JpsCommonUtil.java:212)
      at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:155)
      at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:166)
      at com.octetstring.vde.util.CSFUtil$OVDPrivilegedExceptionAction.run(CSFUtil.java:362)
      at com.octetstring.vde.util.CSFUtil$OVDPrivilegedExceptionAction.run(CSFUtil.java:328)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.octetstring.vde.util.CSFUtil.refreshCredStore(CSFUtil.java:244)
      at com.octetstring.vde.backend.BackendHandler.reloadDynamicConfig(BackendHandler.java:277)
      at com.octetstring.vde.backend.BackendHandler.(BackendHandler.java:250)
      at com.octetstring.vde.backend.BackendHandler.init(BackendHandler.java:421)
      at com.octetstring.vde.VDEServer.initialize(VDEServer.java:259)
      at com.octetstring.vde.VDEServer.startServer(VDEServer.java:172)
      at com.octetstring.vde.VDEServer.main(VDEServer.java:334)
      Caused by: java.lang.ClassNotFoundException: oracle.security.xmlsec.util.Base64
      at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
      … 13 more

      ——–
      11/03/09 08:31:16 Stop process
      ——–

      opmnctl status returns the following:

      Processes in Instance: idminst
      ———————————+——————–+———+———
      ias-component | process-type | pid | status
      ———————————+——————–+———+———
      ohs1 | OHS | 16119 | Alive
      ovd1 | OVD | N/A | Down
      oid1 | oidldapd | 16231 | Alive
      oid1 | oidldapd | 16177 | Alive
      oid1 | oidmon | 16117 | Alive

    22. Atul Kumar says:

      @ TCarlson,
      During LDAPConfigPreSetup.sh, it connects to OID only and not with OVD .

      Regarding your OVD startup issue, I am little bit surprised that this woked in past.

      Last time I had this issue Exception in thread “main” java.lang.NoClassDefFoundError: oracle/security/xmlsec/util/Base64

      was during OID startup where weblogic server was higher version than OID .

      What version of OVD you are using ? What is WebLogic version ? Are you using default JDK which comes with weblogic ?

    23. TCarlson says:

      Well… evidently I had thought I had installed the 11.1.1.3 version of OIM but only had 11.1.1.2.

      Therefore, thanks anyway.

    24. TCarlson says:

      Well… completed the LDAPConfigPostSetup and was successful. In following the last steps

      5. Test LDAP Sync configuration
      5.1 Login to OIM Administration Console (http://oimserver:14000/oim) and create a user
      5.2 Login to OID via ODSM and check if this user is synchronized to OID

      In 5.1 when I tried to create an user, I received the following:

      An error occurred while performing create user operation. Unable to get LDAP connection, and the root cause is – Failed to get connection, Incorrect IT Resource.

      Ideas?

    25. Atul Kumar says:

      @ TCarlson,

      It looks like OIM is unable to contact OVD, check following

      Go to OIM advanced administration and Click on IT Resources. Search for resource type “Directory Server” and click on Edit button to see if value of OVD server is correct

      If this is correct then check value of search base attribute is correct under IT resource configuration screen (mentioned above)

      If search base is correct too then check LDAPContainerRules.xml in MDS schema (You will need MDS export/import script to export xml file from database / MDS)

      Check Metalink Note 1275649.1

      Also check logs for OIM server in weblogic domain

    26. TCarlson says:

      When was the “IT Resource” created? I do not remember creating it — unless it was part of the configuration.

      When I go to the Advanced Admin screen and click on “Manage IT Resource” and select Search to retrieve all the resources… only one displays. It is a Directory Server resource. When I select it to edit, I get “A system error occurred. Contact the Oracle Identity Manager System Administrator”.

      There is no other information.

    27. Atul Kumar says:

      @ TCarlson

      Q: When was the “IT Resource” created ?
      A: This is created when you run config.sh and select LDAP sync and provide OVD details.

      To see root cause of issue , Go to OIM managed server log file and check logs

      $DOMAIN_HOME/servers/oim_server1/logs

    28. TCarlson says:

      Just curious about the adapters above… are these required and are the DNs you give for the adapters
      (cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext)
      required as listed or do we use our own DN values that are reflected in the name space?

    29. TCarlson says:

      Also, after installing everyting and all the servers (oim, oam, oaam,…) are up and running –the EM console displays all green — when I try to access the OAM console (http://localhost:14100/oam) I receive the following:

      Action Failed. Please try again.

      I do not get the login screen and the screen that is displayed is the Oracle Access Manager background screen.

      There are no options to even close or “ok” to accept… just the error display box.

      Ideas?

    30. TCarlson says:

      Today seems to be the day for questions… I also have had an issue when trying to create a user with the “Null input buffer” error. I backed up my existing LDAPContainerRules.xml and weblogic.properties files and ran welblogicExportMetadata.sh and received:

      Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDM
      Domain’.

      Warning: An insecure protocol was used to connect to the
      server. To ensure on-the-wire security, the SSL port or
      Admin port should be used instead.

      Location changed to domainRuntime tree. This is a read-only tree with DomainMBea
      n as the root.
      For more help, use help(domainRuntime)

      Problem invoking WLST – Traceback (innermost last):
      File “/opt/oracle/product/fmw/idam/server/bin/weblogicExportMetadata.py”, line
      22, in ?
      File “/opt/oracle/product/fmw/oracle_common/common/wlst/mdsWLSTCommands.py”, l
      ine 134, in exportMetadata
      File “/opt/oracle/product/fmw/oracle_common/common/wlst/mdsWLSTCommands.py”, l
      ine 568, in executeAppRuntimeMBeanOperation
      File “/opt/oracle/product/fmw/oracle_common/common/wlst/mdsWLSTCommands.py”, l
      ine 538, in getMDSAppRuntimeMBean
      UserWarning: MDS-91002: MDS Application runtime MBean for “OIMMetadata” is not a
      vailable. “exportMetadata” operation failure.

    31. Atul Kumar says:

      @ TCarlson,

      Q1: Just curious about the adapters above… are these required and are the DNs you give for the adapters
      (cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext)
      required as listed or do we use our own DN values that are reflected in the name space?

      A1: Adapters are mandatory as they define mapping from OVD to OID.

      Regarding namespace , use DN mentioned above as this DN should be available in OIDs (this is namespace independent) . This DN is created as part of LDAPConfigPreSetup.sh

      Q2: when I try to access the OAM console (http://localhost:14100/oam) I receive the following: Action Failed. Please try again.

      A2: Check OAM logs in weblogic domain as $DOMAIN_HOME/servers/oam_server1/logs

      Even if a managed server is running , there could be issues starting an OAM application on that managed server.

    32. TCarlson says:

      The following is in the oam_server1.log file and was triggered when I tried to open the oam console. There were several lines of this nature and then several lines of stack trace which follows afterward:

      #### <> <Watch ‘UncheckedException’ with severity ‘Notice’ on server ‘oam_server1′ has triggered at Mar 14, 2011 11:07:18 AM EDT. Notification details:
      WatchRuleType: Log
      WatchRule: (SEVERITY = ‘Error’) AND ((MSGID = ‘BEA-101020′) OR (MSGID = ‘BEA-101017′) OR (MSGID = ‘BEA-000802′))
      WatchData: DATE = Mar 14, 2011 11:07:18 AM EDT SERVER = oam_server1 MESSAGE = [ServletContext@1803965313[app:oam_server module:oam path:/oam spec-version:2.5]] Root cause of ServletException.
      weblogic.servlet.jsp.CompilationException: Failed to compile JSP /index.jsp
      index.jsp:2:4: No tag library could be found with this URI. Possible causes could be that the URI is incorrect, or that there were errors during parsing of the .tld file.
      ^M
      ^—-^

      Stack trace:
      at weblogic.servlet.jsp.JavelinxJSPStub.reportCompilationErrorIfNeccessary(JavelinxJSPStub.java:226)
      at weblogic.servlet.jsp.JavelinxJSPStub.compilePage(JavelinxJSPStub.java:162)
      at weblogic.servlet.jsp.JspStub.prepareServlet(JspStub.java:256)
      at weblogic.servlet.jsp.JspStub.prepareServlet(JspStub.java:216)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:243)
      at weblogic.servlet.internal.ServletStubImpl.onAddToMapException(ServletStubImpl.java:416)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:326)
      at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:260)
      at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
      at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:121)

    33. Atul Kumar says:

      @ TCarlson,

      [ServletContext@1803965313[app:oam_server module:oam path:/oam spec-version:2.5]

      What URL you are using ?

      Did you try http://server:7001/oamconsole

      or you are hitting http://server:14000/oam

      Use first URL for console

    34. TCarlson says:

      I guess it was the one combination I had not tried… http://server:7001/oamconsole worked. I had thought the 14100 port and oam would be correct since that’s the requirement for oim.

      Thanks again… as always…

    35. TCarlson says:

      Question regarding LDAP Sync… If I have already completed the install of OIM and OAM — btw it seems to work — can I still execute the LDAP Sync?

      I read in a blog (http://oim-iam.blogspot.com/2010/11/configuring-ldap-sync-also-called-oim.html) that “When you are configuring OIM for the first time, you must opt to enable the LDAP sync option.This is important and a necessary step for the synchronization to work.”

      Does this mean since I have already completed the install that I cannot run LDAP Sync?

    36. tcarlson says:

      Prior to running LDAP Sync, I was able to create users. I went ahead and ran LDAP Sync but now cannot create users again. Again receiving the “Null input buffer” error.

    37. Atul Kumar says:

      @ Tcarlson,

      Q: If I have already completed the install of OIM and OAM — btw it seems to work — can I still execute the LDAP Sync?

      A: Yes, you can – check Metalink note 1225404.1 At What Stage can OIM 11g be Integrated with Ldap Sync ,OAM and BI Publisher?

      Q: Prior to running LDAP Sync, I was able to create users. I went ahead and ran LDAP Sync but now cannot create users again. Again receiving the “Null input buffer” error.

      A: Check Metalink Note # 1275649.1 Unable To Create A Role or User in OIM 11g after configuring LDAP Sync.

      Ensure that error message in note matches with error in your instance

    38. TCarlson says:

      We are duplicating our (your) efforts. I also created an OTN thread (LDAP Sync OAM 11g – user12992343) asking this question that you also responded to. Just wanted you to be aware so that you are not entering the same information twice.

    39. MohanKumar says:

      Hi…,
      Atul Kumar
      can u please tell how to install OVD 11g…and what are the prerequistes that are to be installed for OVD11g..like weblogic etc

    40. Atul Kumar says:

      @ MohanKumar,

      OVD installation is similar to OID installation installation (installed as same software) . check my post http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

      At configuration step (point 6) – select OVD

      http://download.oracle.com/docs/cd/E17904_01/install.1111/e12002/before001.htm#BABBGDAA

    41. vamsi56 says:

      Atul,

      Could you please provide me the recent patch number that we should intstall for OIM.

      Thanks,
      Vamsi.

    42. kkaushick says:

      hi Atul,
      i am not able to create user after the LDAP sync.the error says about wrong IT resource.
      the OVD details fot ssl/non are correct in the directory server resoutce details,and the dn value in searchbase and the LDAPcontainer rules are also as suggesred.however the LDAPContainerRules.xml was not updated as a result of importMetadata but had to be editted as the WeblogicImportMetadata.sh throws the error similar to the earlier posted by tcarlson march 14 9:17.
      pls. suggest the way ro desynch ldap , so that i run the ldap synch again.
      pls. help,
      thanks,
      himanshu

    43. tcarlson says:

      We have faced this issue too…

      We have determined that the issue with not being able to modify the IT resource was due to the fact that the LDAP Sync process set the values in DEV_OIM.SVP to plain text and did not encrypt the values. We copied the table (just in case), set those plain text values to null, we were then able to modify the IT resource (which was Diretory Server), reset the values, saved the values, and now they are encrypted in the db and we can access the IT resource page

      1. Use the following query to find fields with “plain text” values:
      select svr.svr_name, spd.spd_field_name, svp.svp_key, svp_field_value
      from svp
      inner join spd on spd.spd_key = svp.spd_key
      inner join svr on svr.svr_key = svp.svr_key

      2. Set these plain text values in svp to null after making backup of table (just precautionary)

      3. Edit the Directory Server to re-set values.
      Possible expected error at this stage:
      — no “System Error call admin…”, but that makes sense since the values in question pertained directly to the Directory Server —

      4. Re-entered the values for the IT Resource.

      5. Saving the changes and verify that svp values are now all encrypted.

      With correct values and encryption, then users are able to be created.

    44. Atul Kumar says:

      @ tcarlson,
      Thanks for sharing fix.

    45. kkaushick says:

      thanks tcarlson,
      as suggested the svp_field_valuein the DEV_OIM.SVP table has already been editted to null earlier. the values are now encrypted as shown as a result of querry.(no idea whether the encryption is correct or not).
      the problem is while creating a user in oim it throws an error
      An error occurred while performing create user operation. Unable to get LDAP connection, and the root cause is – Failed to get connection , Incorrect ITResource.
      the OVD details in the directory server IT resource, as well the value for the DN for the root search in ovd adapters are correct.
      the only step which couldn’t be completed was the running of WeblogicImportMetadata.sh step 4 of the doc.
      so, i editted the LDAPContainerRules.xml file for the changes to be brought in the user and role container(my guess is that by importing the metadata to MDS some other changes also do take place ).
      in your earlier post on the same thread you also had the peoblem while running the script,how did you fix it.

    46. kkaushick says:

      somehow Iam not able to do a ldapbind on the ports for ovd and oid .i am sure it was happening right after configuring ovd and oid.
      please help with a fix.
      the ./opmnctl status shows all alive (have also tried startall after stopall, but to no avail)

    47. kkaushick says:

      a bit of correction here in the earlier post,
      am able to bind at the OID non ssl port, but the bind is not happening at the OVD port

    48. Atul Kumar says:

      @ kkaushick,
      Chjeck if OVD is listening on port defined (For unix “netstat -an | grep “) , also check OVD logs and see if there are any errors in logs

    49. kkaushick says:

      here are the details
      [oracle@lab-im ovd1]$ netstat -an |grep 6501
      tcp 0 0 :::6501 :::* LISTEN
      to add to this the bind is happening successfully.
      in the diagnostic log for ovd there is nothing except afew warning about the oid being down
      [octetstring] [WARNING] [OVD-40067] [com.octetstring.vde.backend.jndi.changelogOID.HeartBeatThread] [tid: 11] [ecid: 0000J2SWxNdFo2WFLziOOA1DykBP000003,0] [arg: IP Address] [arg: 3060] Server 192.168.0.41:3,060 is down. But it is the only server configured, thus keep it alive.
      there is nothing in access log.
      -what entries need to be there in the Directory Server IT Resource?
      -what about thae changes which i made to the LDAPContainerRules.xml file rather than running the weblogicimportmetadata.sh , is the approach right?

    50. kkaushick says:

      to add these ate enteries from the console~ovd1~1.log
      Exception in thread “pool-1-thread-2″ java.lang.NullPointerException
      at com.octetstring.vde.DoSManager.registerConnection(DoSManager.java:315)
      at com.octetstring.vde.ConnectionHandler.run(ConnectionHandler.java:213)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:619)
      Exception in thread “pool-1-thread-4″ java.lang.NullPointerException
      at com.octetstring.vde.DoSManager.registerConnection(DoSManager.java:315)
      at com.octetstring.vde.ConnectionHandler.run(ConnectionHandler.java:213)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:619)

      the version details are:
      OVD-11.1.1.2.0
      ODSM-11.1.1.3.0
      OID-11.1.1.3.0
      has it got something to with the OVD version?

    51. sagarthe1 says:

      Hello Atul,
      I am facing this issue during OVD to AD adapter configuration.
      It is giving me invalid credentials error as soon as I click next after entering “Connection details for AD host port and server proxy bind DN & proxy password.”
      I tried it with two different credentials present in AD with admin privileges and also read only.
      Will you please suggest what might be wrong ?

      Sorry if I am in wrong section.But I saw adapter settings and hence put it here.

      Thanks,
      PS

    52. aengineer says:

      Hi,

      Do you have an article on how to configure LDAP sync with OIM 11.1.1.5.0 using ODSEE and also integrate it with OAM?

      I have been following the docs and they are not-so-good.

      Thanks
      Aspi

    53. Atul Kumar says:

      @ aengineer,
      This is in chapter 12 on my book but using OID/OVD.

      Book is available at https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

    54. srivatsa says:

      Hi atul,

      We configured LDAP synch now when we create user in OIM it is creating in OID and also we are able to updates the values of OOTB fields..But are not able to provision the UDF fields and update it….so please help us …what needs to be done to achive the requirement.

      Thank you

    55. kkaushick says:

      hi,
      i have a problem exact to the first post in this thread by kishore raut. this has happened while i was trying to configure the OIM server(for third time(first for configuring the server, then for LDAP synch)) for OAM integration.@Kishore – on your third post you say something about the issue being with encryption of OIM schema.So, how did you fix it..?
      thanks anyway for this thread, it has been very supportive..

    56. Kishore Rout says:

      kkaushick,
      You can do LDAP sysnchronaisation at any time after OIM server configuration as per Atul mentioned above. But On my case It was not working..Password in OIM schema encrypted. I contacted oracle regarding this. As per them steps are here:
      1. Install OID &OVD and configure it.
      2. Install OIM and extend weblogic domain, create managed server for OIM.
      3. Prepare OID for LDAP sync(adapter creation in OVD)
      4. do the OIM configure and Ldap sync in one go..

    57. kkaushick says:

      thanks a ton Kishore Raut,
      for sharing this.a little clarification would be more helpfull.
      2. how do i create managed server without running OIM_home/bin/config.sh ?
      and @ atul – please post a solution for this situation. I tried config. thrice yesterday under various senarios, but on the passwd. screen it’s only asking for the keystore paswd., not for the xelsysadm paswd.
      when i queried the user table for the passwd field of USER_LOGIN=’XELSYSADM’, it shows some encrypted value.
      I have had earlier problem while doing LDAP synch., and had to redo the whole thing , so redo again would be a pain in the neck..
      thanks again.

    58. Kishore Rout says:

      kkaushick,
      There should be two config.sh in your OIM home directory. Use $OIM_HOME/common/bin/config.sh for OIM managed server configuration and $OIM_HOME/bin/config.sh for OIM server configuration.

    59. kkaushick says:

      thanks again,
      so your suggestion is to do the whole thing again.
      as far as my understanding goes $OIM_HOME/common/bin/config.sh would not create OIM_server, right ?
      and,$OIM_HOME/bin/config.sh has to be run only once after doing all synch steps (ldap & OAM). right?
      waiting..

    60. RajeevSingh says:

      Atul,

      Is it possible to configure a LDAP adaptor without using ODSM? If yes, please provide some information

      Rajeev

    61. Raj says:

      Atul,

      Thanks for sharing the oim11g installation and configuration steps.
      Couple of questions :
      1. How to modify the ldapcontainer to place the user records in a particular OU in OID
      2. I want to sync the OIM USERS to different user containers in OID based on OIM USER attributes.

      Please advise.

      Thanks,
      Raj

    62. bvuong says:

      Hi Atul,

      From my understanding, OIM PS1 is shipped with an embedded ovd called “libovd” which allows you to enable ldapsynch. My questions are:

      1- If I want to use ODSEE as my identity store for OAM and use ldapsynch, do I still need to install a full OVD package? Documentation on line is not helpfull.

      2- If the answer is no, Do I need to create an ldap adapter using the wlst command line or is it done automatically when ldapsynch is enabled during the install? Again, this is not clear in the doc

      3- I just built a clean vm oim-ldapsynch-odsee. I can create/modify user, however creating role give me an error in OIM. Did you encount this issue in your experience?

      Thanks for your help.
      Bruno

    63. Shilpa says:

      tcarlson, your trick to update the plain text entries in the DB to get the ‘Manage IT Resource’ page to edit Directory Server is brilliant!!

      We spent 3 days on figuring out this issue :) Thanks much!!

      Shilpa Sathya Nair

    64. kkaushick says:

      Hi All,
      I have performed first time reconciliation using the eBusiness HRMS trusted reconciliation for CurrentPersons, the users are populated in oim(as shown in the console) but not in OID whereas, the user/s which i create manually through the oim console are getting populated in OID. I have been looking for anything relevant but to no avail so returned to this post where i got various earlier problems fixed.
      So , guys please help me ,this POST is making a repo which can’t be false,
      thanks again.

    65. Atul Kumar says:

      @ kkaushick,
      Just to confirm your issue, You have configured OIM LDAP sync and expecting users in OID to sync with OIM and vice versa (please confirm).

      which version of OIM is this ?

      What user is used for LDAP sync (orcladmin or oimadmin) ?

      Did you run full recon jon to start with ?

    66. kkaushick says:

      Hi ,
      thank you for the reply,
      Yes , shouldn’t OIM LDAP sync be auto populating the users from OIM to OID. Not worried about reverse right now.
      version is 11.1.*.3
      i used a diff. user created in OCS_PORTAL_USER group( for roleSecAdmin=) in the wlst script createUserIdentityStore during OIM_OAM integration, but i think i used orcladmin for LDAP synch (help me in being sure about it )
      actually previously i had problem in doing ldap sync (separately) so this configuration of OIM_server is done with LDAP sync and OAM integration in a single go.
      yes this is a full-first time recon.
      Note-the users being created manually using the console are still getting populated in OID.
      thanks, waiting eagerly.

    67. kkaushick says:

      on LDAP sync and OAM screen during the server configuration I used cn=orcladmin as LDAP user.
      Thanks.

    68. Atul Kumar says:

      @ kkaushick,

      You said – shouldn’t OIM LDAP sync be auto populating the users from OIM to OID.

      AK – Yes , it should. check logs in OIM manager server log file $DOMAIN_HOME/servers/oim_server1/logs

      You said – version is 11.1.*.3, I used a diff. user created in OCS_PORTAL_USER group( for roleSecAdmin=) in the wlst script createUserIdentityStore during OIM_OAM integration, but i think i used orcladmin for LDAP synch (help me in being sure about it )
      actually previously i had problem in doing ldap sync (separately) so this configuration of OIM_server is done with LDAP sync and OAM integration in a single go.

      AK: I have seen lot of issues with LDAPSync in OIM/OAM 11.1.1.3, is there possibility of upgrading OIM/OAM/SOA to 11.1.1.5 . In OIM 11.1.1.3 there was no libOVD so do you have OVD (in 11.1.1.5 OVD is not mandatory) and did you create adapters in OVD?

      You said – Yes this is a full-first time recon. Note-the users being created manually using the console are still getting populated in OID.
      AK: OK so LDAPSync works if you create users in OIM but issue is only during EBS ER (employee recon). You must have received errors in OIM managed server log file.

      I recently faced same error where only 5% of employees from EBS were in OID (even though every one was in OIM). In OIM logs error was related to common name generation which was bug in code that it was checking email addresses. One user had wrong email address (two @ in email) and whole thing was falling apart.

      Check OIM logs to find root cause of your problem (This could be data specific issue). Also check JMS Queue via WebLogic console and ensure messages are not sitting in Queue

    69. kkaushick says:

      hi ,
      thanks for showing the way ahead,
      ->surfed through the logs, but nothing there except repeated errors for the ” Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection pool are in use ,
      ->yes, I am using OVD and two adapters have been created in OVD.
      ->the managed server log file has mainly three repeated errors,passwords not agreeing to the policy, [arg: Manager Login] The attribute Manager Login does not exist!, and others repeated for [arg: Organization Name] The attribute Organization Name does not exist!,could this be a problem?
      weblogic console-summary of JMS server shows ok, not sure how to check for the sitting messages in the JMS queue .
      ->if upgrading it t0 *.5 would solve the problem, should i upgrade both the Oracle Home or only the home containing the OIM,OAM,OAAM,etc.?
      thanks, again in advance.

    70. kkaushick says:

      the error related to the password policy is and, i guess that this is not letting the users be updated in OID.
      [oracle@lab-im logs]$ more oim_server1-diagnostic-51.log | grep ERROR
      [2011-11-23T17:22:20.560+05:30] [oim_server1] [ERROR] [IAM-0042002] [oracle.iam.platform.entitymgr.provider.ldap] [tid: [ACTIVE].ExecuteThread: ’18’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 0000JFGGsPoFo2WFLziOOA1ElXZQ0001YU,0] [APP: oim#11.1.1.3.0] [dcid: d90df5a0fd2bc5c7:610c5ef3:133b5d99a56:-7ffd-000000000000107b] [arg: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 – LDAP Error 21 : [LDAP: error code 19 – Password Policy Error :9003: GSL_PWDMINLENGTH_EXCP :Your Password must be at least 5 characters long.\n]]; remaining name ‘cn=324,cn=users,*,dc=co,dc=in’] An error occurred while creating the entity in LDAP, and the corresponding error is – javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 – LDAP Error 21 : [LDAP: error code 19 – Password Policy Error :9003: GSL_PWDMINLENGTH_EXCP :Your Password must be at least 5 characters long.[[
      these errors are repeated.thanks,

    71. Atul Kumar says:

      @ kkaushick,
      In OID there is default password policy on users which I suppose requires user password to have atleast 5 characters.

      Create a new password policy in OID (configure it same as password policy on target systems OIM/source application EBS in this case).

      To define password policy in OID and assign it to users container in OID follow http://download.oracle.com/docs/cd/E21764_01/oid.1111/e10029/pwdpolicies.htm#OIDAG2470

    72. kkaushick says:

      thank you so much for the soln. , but i have a bit of confusion here as i could see two default pwdPolicies in OID one under the cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
      and the other one with the RDN cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=*,dc=co,dc=in.
      both had the attribute orclpwdpolicyenable value as 1, i have changed the value to 0 for both the default store, so right now the OID is without any policy enabled, hopefully it will bring the users from OIM to OID,
      will inform you if i succeed, anyway thank you so much for the effort,
      Please do correct me if my approach is wrong.
      thanks,

    73. Atul Kumar says:

      @ kkaushick,
      You are right , by default there are two password policies but one that is applicable at cn=users,dc= is cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=* (This is controlled by attribute pwdpolicysubentry on cn=users)

      Bounce OID and then try running Employee Recon Job and see if you still get this error.

    74. kkaushick says:

      Thanks agin for the effort which you are putting here.
      Good news is after rerun of the Employee Recon I got two test users in my OID.
      for thge rest i got this error [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.user] [tid: [ACTIVE].ExecuteThread: ’16’ for queue: ‘weblogic.kernel.Default (self-tuning)’]
      [userId: oiminternal] [ecid: 0000JFihrd8Fo2WFLziOOA1ElXZQ00031J,0] [APP: oim#11.1.1.3.0]
      [dcid: d90df5a0fd2bc5c7:610c5ef3:133b5d99a56:-7ffd-0000000000001077]
      Failed to execute the handler.[[
      oracle.iam.platform.kernel.EventFailedException: Enabling failed because user is not synchronized to the LDAP directory.
      Exception Description: Could not serialize object into byte array.
      Internal Exception: java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx
      Mapping: org.eclipse.persistence.mappings.DirectToFieldMapping[result–>ORCHEVENTS.RESULT]
      Descriptor: RelationalDescriptor(oracle.iam.platform.kernel.dao.OrchEvent –> [DatabaseTable(ORCHEVENTS)])
      at oracle.iam.platform.kernel.dao.OrchestrationDao.updateEventResult(OrchestrationDao.java:594)
      at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrateWithoutExecution(OrchestrationEngineImpl.java:407)
      … 34 more
      Caused by: org.springframework.transaction.UnexpectedRollbackException: JTA transaction unexpectedly rolled back (maybe due to a timeout); nested exception is weblogic.transaction.RollbackException: Unexpected exception in beforeCompletion: sync=org.eclipse.persistence.transaction.JTASynchronizationListener@b75157e
      Now i will enable loogging at afiner label to find out where exactly the problem is.
      if you have figured it out pls. do let me know.
      But thank you for letting me establish that this system is working .
      Regards.

    75. kkaushick says:

      Hi ,
      even after enabling the logging at the finest level i can only locate the same error ,am not able to find the reason for the error , need your help, the complete error FYA,
      [2011-11-29T18:27:55.357+05:30] [oim_server1] [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.user] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 0000JFjPmKXFo2WFLziOOA1EpCiH00001P,0] [APP: oim#11.1.1.3.0] [dcid: d90df5a0fd2bc5c7:-437de5de:133ef3d5f4c:-7ffd-0000000000000033] Failed to execute the handler.[[
      oracle.iam.platform.kernel.EventFailedException: Modification failed because user 487 is not synchronized to the LDAP directory.
      at oracle.iam.ldapsync.impl.eventhandlers.user.UserModifyLDAPPostProcessHandler.modifyUser(UserModifyLDAPPostProcessHandler.java:153)
      at oracle.iam.ldapsync.impl.eventhandlers.user.UserModifyLDAPHandler.execute(UserModifyLDAPHandler.java:180)
      at oracle.iam.platform.kernel.impl.OrchProcessData.runPostProcessEvents(OrchProcessData.java:1153)
      at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:703)
      at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:220)
      at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:674)
      at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
      at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
      at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
      at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
      at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
      at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      at $Proxy329.onMessage(Unknown Source)
      at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
      at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
      at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
      at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
      at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
      at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
      at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
      at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
      at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
      It keeps on repeating for this user ID,

    76. Atul Kumar says:

      @ kkaushick,
      Error message indicates that you are trying to update a user (as part of RECON) which is not in OID.

      It seems like for some reason user is in OIM but not in OID.

    77. kkaushick says:

      so , how do i bring the users from oim to oid?
      when and how does the sync b/w OIM-LDAP happen?
      thanks,

    78. kkaushick says:

      hi ,
      I tried to delete the enteries from OIM using the Admin console , so that i could rerun the Recon , but the problem is for the same reason as the users are not sync to LDAP Directory, not able to delete,Please guide me how to approach this problem.
      i.e. how do i populate the users from EBS to OID?
      thanks,

    79. Atul Kumar says:

      @ kkaushick,

      There is manual way to migarte users from EBS to OID which is http://onlineappsdba.com/index.php/2008/04/17/migrate-users-tofrom-oid-and-oracle-apps-11ir12/

      But this process will not link users between OIM and OID. You need to manually link users between OIM and OID (using usr table). I am not sure if this is certified/supported solution. Please contact Oracle Support on this

    80. kkaushick says:

      thanks for the suggestion,
      doubt is if we can migrate users from EBS to OID using AppsUserExport(converting the users data to a ldif file),then isn’t there a way to make a ldif file from the DEV_OIM.USR table so that we can use this file to populate OID with the users, how about truncating the whole USR table so that i can start the recon afresh, my line of thought is if the users will not be in OIM then Recon would not try to update the users in OID, which one do you suggest?
      thanks again.

    81. shah_harsh81 says:

      Hi Atul

      I follow all steps from Part I to VIII to install “Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)”

      On this step VIII, it helps to Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID).

      I didn’t find steps to install OVD/OID thru step VIII.

      Can you please help me here to install this OVD/OID in this verion which you used thru steps VIII.

      Thank you
      Harsh Shah

    82. Atul Kumar says:

      @ shah_harsh81,
      To install OID/OVD use steps from

      http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

      Current OID/Version is 11.1.1.6 so only thing to change is use weblogic 10.3.6 (replace weblogic 10.3.4 with 10.3.6 in above doc) and replace OID/OVD patchset from 11.1.1.4 to 11.1.1.6 (latest is 11.1.1.6).

      RCU you should use 11.1.1.6 RCU to create OID/OVD schema

    83. vamsikrishna56 says:

      Hi Atul,

      My LDAP sync worked fine earlier. All of a sudden, whenever I try to create a user in OIM, LDAP sync creates the user, modifies the user and automatically calls delete user also and the user is getting deleted.

      I have checked this in the audit log of OID logs and the change log ID in the console that the delete method is getting called during LDAPsync.

      Any ideas on such issue ?

      Thanks,
      TVamsi.

    84. Atul Kumar says:

      @ vamsikrishna56,
      Do you means you create a user in OIM and then ldapsync automatically creates user in OID.

      LDAPSycn then deleted user from OID (even though user is still in OIM)

      Is this the case ?

      No, I have never seen issue like this. Do you have any other provisioning or reconciliation task with this OID ?

    85. multikanth says:

      Thank you for sharing.
      I would like to share the issue I have faced and Fixes.
      Issue : After doing everything as per this doc, I do get Error to User Created Sync.

      Two fixes for this.

      Fix 1 : in Metalink follow ID 1307549.1

      Fix 2 : Got this from this thread https://forums.oracle.com/forums/thread.jspa?messageID=10311715#10311715

      Parameter “Connection pooling supported” in Directory Server rerource was set to true.

    86. Jyothi says:

      Hi Atul, I am not sure whether below exception from my OIM server should be ignored or not. I have checked OIM configuation with what you have mentioned. Everything is fine except I used port 3060 instead 6501 for the LDAP server url. But when I created users in OIM, I can see them in OID. Does this below exception may create problem somewhere else ?

      <Class/Method: PooledResourceConnectionProvider/createConnection encounter some problems: ADP ClassLoader failed to load: oracle.iam.ldapsync.impl.repository.LDAPConnection
      java.lang.ClassNotFoundException: ADP ClassLoader failed to load: oracle.iam.ldapsync.impl.repository.LDAPConnection
      at com.thortech.xl.dataobj.tcADPClassLoader.findClass(tcADPClassLoader.java:219)
      at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:73)
      at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1563)
      at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1399)
      at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:477)
      at oracle.ucp.common.UniversalConnectionPoolImpl.growPool(UniversalConnectionPoolImpl.java:856)
      at oracle.ucp.common.UniversalConnectionPoolBase$1.run(UniversalConnectionPoolBase.java:1057)
      at oracle.ucp.util.UCPTaskBase.call(UCPTaskBase.java:17)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
      at java.util.concurrent.FutureTask.run(FutureTask.java:139)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:909)
      at java.lang.Thread.run(Thread.java:662)

      thank you for your valuable suggestion.

      Jyothi

    87. Jyothi says:

      Atul, can I correct this error by providing 6501 ? If so, which file I need to modify ?

      It think this could be the issue for the exception I am facing.

      Can you please let me know whether I can correct it now.

      Jyothi

    88. […] and OID (or other LDAP Servers) can be synchronised either using LDAPSync  (For LDAPsync with OVD check here ) or using OIM connectors (For OID connector click […]

    89. Odesa says:

      Atul, instalé el OIM, le especifiqué todos los parámetros que me pedían durante la instalación. Después vor al navegador, y especifico la dirreción para acceder a la interfaz principal del OIM y me da un error:

      Error 404–Not Found
      From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
      10.4.5 404 Not Found
      The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

      ¿Me podría ayudar al respecto?

      Gracias de antemano.

    90. Mabeliana says:

      Atul, como estas? necesito ayuda, despues que instalé el OIM y reinicié los server correspondientes, cuando voy al navegador y le especifico la url, con el puerto y todo, me da un error:

      Error 404–Not Found
      From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
      10.4.5 404 Not Found
      The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

      If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

      ¿Qué será esto?
      Puede ayudarme al respecto.

      Saludos y gracias de antemano.

    91. avi says:

      Atul,

      Ive followed the steps but Im getting an error while creatig users from the console : Unable to get LDAP connection,and the root cause is – Failed to get connection due to initialization error with the pool : Failed to initialize and start UCP Pool.

      The Directory Server is up and running as I can do a Telnet to :
      telnet LDAP_HOSTNAME ldapport

      and also Ldapbind with the command :
      ldapbind -h LDAP_HOSTNAME -p ldapport -D “cn=orcladmin” -q

      ON OIM The Manage IT Resource section for Directory Server Type, the field was blank for Server URL. Tried adding ldap://server_name:ovdport but still facing the same issue.

      Any inputs to help me over come this ??

    92. avi says:

      Also,while connecting to OVD from ODSM and creating the necessary adapters for LDAP Sync, it refuses to connect on default non SSL port 6501. Keeps saying not a valid connection. While it connects while I use the Admin SSL Port 8901 using which the adapters were created.

      Wondering if this has got to do with the errors…

    93. avi says:

      Also while connecting to OVD from ODSM and creating the necessary adapters for LDAP Sync, it refuses to connect on default non ssl port 6501. Keeps saying Not a Valid Connection. While it connects while I use the Admin SSL Port 8901 using which the adapters were created.

      Wondering if this has got to do with the errors…

    94. Mabeliana says:

      Hello

      1. how to add new field in adminstrator and user console?
      2. how to add new user for enter to the console OIM?

      Thanks

    95. Hi Atul, I just installed OIM R2. I already have OAM 11.1.1.5 configured against OVD 11.1.1.5 front-ending AD with our enterprise users. I do not have the option to extend the orcl schema on AD, so I decided to use OUD R2 and the install and base config went fine. I’m following this URL: http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ to prep OUD and the schema went in fine. Now I’m confused with what exactly I need to do to complete OIM-OAM integration. Documentation seems to be everywhere with idmconfigtool.sh especially with R2.

      I did not enable LDAP Sync during OIM config, so im following this post-install link – http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#CHDBICCC to complete that setup. And here’s where I see there is not much detail on how I need to idmconfigtool.sh and with what options. The good thing with OUD is almost all orcl schema is shipped and there is nothing much to do related to schema, except for obobjectclasses and index, which i did based on the first link posted above.

      Do you have any thoughts on this, related to OIM R2?

      Sunil.

    96. Thanks Atul. Excellent link for my requirement.
      Can you please confirm the below high level steps for this integration?

      1. Prepare OUD for integration
      2. Configure JOIN/SHADOW adapters between AD and OUD.
      3. Run ./idmconfigTool.sh with -preConfigIDStore, -prepareIDStore with mode OAM and OIM, -configOAM, -configOIM. -configPolicyStore (not sure if this is needed??). I have already run -preConfigIDStore directly against OUD and it went fine. I’ll be enabling LDAP Sync directly against OUD since R2 supports it (http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ) and I’m confused on the need for pointing OIM to OVD. Thoughts?

      Thanks,
      Sunil.

    97. mike says:

      Hello Atul,
      I have a requirement for the sync from the oid to the oim. Can this be done?
      TIA

      Mike

      • Atul Kumar says:

        @ Mike,
        If OIM is 11g then this can be done via two ways
        a) LDAPSync or
        b) OIM connector for OID

        If this is OIM 10g then use OIM connector for OID

        For both ldapsync and OIM connector for OID, search on this blog

    98. Sean says:

      Atul,
      for the post ldapsync
      LDAPConfigPostSetup.sh

      it fails:
      [Enter OIM admin password:]
      java.lang.NullPointerException
      at java.util.Hashtable.put(Hashtable.java:394)
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.(LDAPConfigPostSetup.java:146)
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:106)
      Unable to get either LDAP, OIM connection and reason is:null

      I verified the props file, all look good. It is the oim 11.1.1.5.4, i have used OID as the directory in the OIM config and set SkipOVDValidation= true in the props file.

      Any insights?

    99. Atul Kumar says:

      @ Sean,

      You mentioned oim 11.1.1.5.4 as per my knowledge latest BP is 03 so 11.1.1.5.3

      For your issue, it looks like java is not set correctly. Type which java and make sure this is 1.6 . Also check JAVA_HOME environment variable

    100. Sean says:

      11.1.1.5.4 has been released as BP4 14102430

      I have had the JAVA set:

      $ env |grep JAVA
      JAVA_HOME=/u01/oracle/jdk/jdk1.6.0_30

      it is a Linux 64bit

      uname -a
      Linux p2devwebportal.usace.army.mil 2.6.32-200.13.1.el5uek #1 SMP Wed Jul 27 21:02:33 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

    101. Atul Kumar says:

      @ Sean,
      Thanks for information on BP04 for 11.1.1.5 .

      Which java is in path

      which java

      also paste content of $MW_HOME/iam/server/ldap_config_util/ldapconfig.props

      check details are correct in this file

    102. Sean says:

      $which java
      /u01/oracle/jdk/jdk1.6.0_30/bin/java

      ldapconfig.props :

      # OIMServer Type, Valid values can be WLS, JBOSS, WAS
      # e.g.: OIMServerType=WLS
      OIMServerType=WLS

      # OIMAdmin User Login
      # e.g.: OIMAdminUser=xelsysadm
      OIMAdminUser=xelsysadm

      # Skip Validation of OVD Schema
      # e.g.: SkipOVDValidation=true|false, Default false
      SkipOVDValidation=true

      # OIM Provider URL
      # e.g.: OIMProviderURL=t3://localhost:8003
      OIMProviderURL=t3://jm100:14000
      #OIMProviderURL=t3://jm100:8001
      #(Note I tried the both 14000 and 8001, failed on the both)
      # OID URL
      # e.g.: OIDURL=ldap://localhost:389
      OIDURL=ldap://jm101:3060

      # Admin user name to connect to OID
      # e.g.: OIDAdminUsername=cn=orcladmin
      OIDAdminUsername=cn=orcladmin

      # Search base
      # e.g.: OIDSearchBase=dc=company,dc=com
      OIDSearchBase=dc=usace,dc=XXXXXX

      # Name of the user container
      # e.g.: UserContainerName=cn=Users
      UserContainerName=cn=Users

      # Name of the role container
      # e.g.: RoleContainerName=cn=Roles
      RoleContainerName=cn=Groups

      # Name of the reservation container
      # e.g.: ReservationContainerName=cn=Reserve
      ReservationContainerName=cn=reserve

    103. Atul Kumar says:

      @ Sean,
      OIDAdminUsername=cn=orcladmin doesn;t look right . You should use cn=oimLDAP,cn=systemids,dc=****

      Please confirm that you generated wlfullclient.jar file , if not create this and try again

    104. Sean says:

      i have it in oid as:
      cn=oimadmin,cn=systemids,dc=***

      and tried as you suggested and failed the same.

      And Yes, wlfullclient.jar had been generated.

      Thanks.

    105. […] (OID in this case) using LDAPSync (OIM should be configured with LDAPSync enabled. More on LDAPSync here, here, and here). This process will also clear two attributes obLockoutTime, and obLoginTryCount […]

    106. sampal says:

      Hello Atul,

      Can you please let me know why do we need ldap synch for OIM and OAM Integration. We are trying to achieve Single Sign -On for OIM using OAM.Is it not like any type of integration where we protect the application with webgate and configure policies in OAM. We don’t want to maintain another product(OID/OVD as LDAP Synch need), so can you please let us know the feasible solution.

      • Atul Kumar says:

        @ sampal,
        OIM store its user repository in its own user store (USR table in OIM schema). Though OAM can authenticate against a database table but OIM for security reasons wouldn’t let any one else connect to its USR repository. Solution for this is to SYNC users in OIM with LDAP servers. Then for Locked accounts OAM should be able to see it under its own repository (like obLoginTryCount) and this lock/unlock should sync with OIM. These are just two example for which you need OIM to sync data to LDAP server to which OAM is integrated (for SSO) .

        I hope this answers your question.

    107. sampal says:

      Thanks Atul for the quick response. So if LDAP Synch has to be enabled, can we use Active Directory as the data store instead of OID/OVD? Does using AD pushes any new attributes to the AD server?

      Please let us know.

    108. Atul Kumar says:

      @ Sampal,
      Yes you can use AD with OIM for LDAPSync but you need to extend AD schema to include attributes required for OIM-OAM integration. Schema extension scripts are included in integration guide.

    109. sunil sharma says:

      Hi Gurus,
      I have done LDAPSync,but when i want to midify user through oim console it doesnt get modified and it shows no error in the log. can you tell how to fix this problem.Thanks in advance.

    110. sunil sharma says:

      Hi Atul,
      These users were created after LDAPSync and if i tired to modified it,the modification doesnt work.please let me know if you require any further details,thanks for your reply.I am also trying to fix that problem.My skype id is “sunil.sharma759″ if you want you can send me request or else give me your details i will send you the request.Please help me in this i am fresher and i have to do it.

      • Atul Kumar says:

        @ Sunil Sharma,
        Check logs in OIM diagnostics and OIM out file. If you can’t find any errors then enable diagnostics in OIM via EM and then try again to reproduce problem and check logs

    111. sunil sharma says:

      Hi,
      It is giving me the error that “NO_SUCH_OBJECT”. so suggest me any solution for that please.Thanks in advance.

    112. Atul Kumar says:

      @ Sunil Sharma,
      You need to provide more informaiton “NO_SUCH_OBJECT” will not help, paste full error.

    113. sunil sharma says:

      Hi Atul,
      here I am sending you the oim_server1-diagnostic log details.I think tis is the reason due to which user is not modifying.Please suggest me sloution to this or else any other solution through which i can do modifying of user.
      [2013-01-28T09:22:34.553+05:30] [oim_server1] [ERROR] [IAM-0042016] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-6] [userId: oiminternal] [ecid: 0000JlzHZAWFw0zkrw0AJz53vfE0jzYxv1H1VKv000002,0] [APP: oim#11.1.1.3.0] An error occurred while getting the change log from LDAP – {0}[[
      javax.naming.NoPermissionException: Error: INSUFFICIENT_ACCESS_RIGHTS
      LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights] [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights]]
      at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:162)
      at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:439)
      at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:329)
      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1029)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.getChangelogResults(LDAPDataProvider.java:1486)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.deltaDetect(LDAPDataProvider.java:1443)
      at oracle.iam.ldapsync.scheduletasks.hierarchy.LDAPRoleHierarchyReconTask.execute(LDAPRoleHierarchyReconTask.java:94)
      at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
      at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
      at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
      Caused by: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights]
      at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:174)
      at oracle.ods.virtualization.service.DefaultVirtualizationSession.search(DefaultVirtualizationSession.java:182)
      at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:429)
      … 14 more
      Caused by: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights]
      at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.handleError(ConnectionHandle.java:439)
      at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:280)
      at oracle.ods.virtualization.engine.backend.jndi.JNDIEntrySet.initialize(JNDIEntrySet.java:219)
      at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.get(BackendJNDI.java:727)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:303)
      at oracle.ods.virtualization.engine.chain.plugins.changelog.ChangelogPlugin.get(ChangelogPlugin.java:611)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
      at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
      at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
      at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
      at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.getByAdapter(AdapterServiceInterface.java:582)
      at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.get(AdapterServiceInterface.java:453)
      at oracle.ods.virtualization.engine.backend.BackendHandler.get(BackendHandler.java:429)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:295)
      at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
      at oracle.ods.virtualization.engine.chain.plugins.uniqueentry.UniqueEntryPlugin.get(UniqueEntryPlugin.java:132)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
      at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
      at oracle.ods.virtualization.engine.chain.plugins.mlsfilter.MlsFilter.get(MlsFilter.java:102)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
      at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
      at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
      at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
      at oracle.ods.virtualization.engine.chain.GlobalServicesInterface.runGet(GlobalServicesInterface.java:136)
      at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:168)
      … 16 more
      Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 – Insufficient Access Rights]; remaining name ‘cn=Changelog’
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3049)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
      at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
      at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:261)
      … 39 more

      *********************************************

      [2013-01-28T09:22:33.972+05:30] [oim_server1] [ERROR] [IAM-0042016] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-4] [userId: oiminternal] [ecid: 0000JlzHZAWFw0zkrw0AJz53vfE0jzYxv1H1VKv000002,0] [APP: oim#11.1.1.3.0] An error occurred while getting the change log from LDAP – {0}[[
      java.lang.NullPointerException
      at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:768)
      at oracle.ods.virtualization.engine.router.RoutingHandler.getRoutingRule(RoutingHandler.java:234)
      at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.get(AdapterServiceInterface.java:463)
      at oracle.ods.virtualization.engine.backend.BackendHandler.get(BackendHandler.java:429)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:295)
      at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
      at oracle.ods.virtualization.engine.chain.plugins.uniqueentry.UniqueEntryPlugin.get(UniqueEntryPlugin.java:132)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
      at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
      at oracle.ods.virtualization.engine.chain.plugins.mlsfilter.MlsFilter.get(MlsFilter.java:102)
      at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
      at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
      at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
      at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
      at oracle.ods.virtualization.engine.chain.GlobalServicesInterface.runGet(GlobalServicesInterface.java:136)
      at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:168)
      at oracle.ods.virtualization.service.DefaultVirtualizationSession.search(DefaultVirtualizationSession.java:182)
      at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:429)
      at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:329)
      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1029)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.getChangelogResults(LDAPDataProvider.java:1486)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.deltaDetect(LDAPDataProvider.java:1443)
      at oracle.iam.ldapsync.scheduletasks.role.LDAPRoleChangesReconTask.execute(LDAPRoleChangesReconTask.java:118)
      at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
      at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
      at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)

    114. satheeshskumar says:

      I am preparing a test environment.
      After running ./LDAPConfigPostSetup.sh i get the following error.
      [Enter OIM admin password:]
      java.lang.NullPointerException
      at java.util.Hashtable.put(Hashtable.java:396)
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.(LDAPConfigPostSetup.java:146)
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:106)
      Unable to get either LDAP, OIM connection and reason is:null

      JAVA_HOME and WL_HOME is setup correctly.
      OID is running and port is 3060 no-ssl.

      • Atul Kumar says:

        @ satheeshskumar,
        What version of OIM you are running and what patchset (BP Bundle Patch) ? If this is 11.1.1.5 BP04 then check LdapConfigPostSetup.sh Erros In OIM 11.1.1.5.4 / BP04 [ID 1508480.1] , You need three more environment variable LDAPAdminUsername, OIMProviderURL, LDAPURL or LIBOVD_PATH_PARAM

        Check for BUG 14783790

    115. satheeshskumar says:

      Hi Atul,

      I have updated the ldapconfig.props with the above mentioned parameters. below error message appearing after updating 3 parameters

      LIBOVD_PATH_PARAM=/u02/app/oracle/Middleware/user_projects/domains/IDMDomain/config/fmwconfig/ovd/oim

      LDAPAdminUsername=cn=orcladmin
      LDAPURL=ldap://testfusionmw:3060

      Error message:

      java.lang.NullPointerException
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.updateLDAPSyncScheduleJobs (LDAPConfigPostSetup.java:191)
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:111)

    116. satheeshskumar says:

      Hi Atul,

      I forgot update the version 11.1.1.5 BP04

      Regards

    117. satheeshskumar says:

      Hi Atul,
      I have added ,below pasted the class path values:
      =============
      echo $CLASSPATH
      ../client/oimclient.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/wlfullclient.jar:../ext/jakarta-commons/commons-logging.jar:../ext/spring.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar:../platform/iam-platform-utils.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/wlclient.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:../platform/iam-platform-auth-client.jar:../client/oimclient.jar:../features/iam-features-system-configuration.zip:../platform/iam-platform-authz-service.jar:../features/iam-features-identity.zip:../features/iam-features-platformservice.zip:../ext/log4j-1.2.8.jar:../ext/internal/eclipselink.jar:/u02/app/oracle/Middleware/wlserver_10.3/../oracle_common/modules/oracle.ldap_11.1.1/ldapjclnt11.jar:/u02/app/oracle/Middleware/Oracle_IAM1/oui/jlib/jlib/xmlparserv2.jar
      ================================

      Still same error:
      [oracle@bhmanapr12 ldap_config_util]$ ./LDAPConfigPostSetup.sh
      [Enter LDAP admin password:]
      [Enter OIM admin password:]
      java.lang.NullPointerException
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.updateLDAPSyncScheduleJobs(LDAPConfigPostSetup.java:191)
      at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:111)

    118. Mounika says:

      Hi Atul,

      I am trying to configure LDAP Sync with OIM 11g R2 PS2(11.1.2.2) using OUD 11.1.2.2 version Post OIM installation & Configuration. My OIM is installed on Linux and OUD on Windows servers.

      I have done preconfiguring OUD steps by following the document at http://docs.oracle.com/cd/E27559_01/install.1112/e27301/preconfigoud.htm#CHDCEJKD

      Then following document from http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#IDMIG4357

      In 3.1 Enabling Postinstallation LDAP Synchronization –> Step 6 For reconciliation jobs,

      I am not able to find the following 2 files patch_weblogic.sh MDS utility available in OIM_HOME/bin/ and $OIM_ORACLE_HOME/server/bin/weblogic.profile

      Are these files available in OIM installed location by default or generate after doing some kind of configurations?

      Could you please help me in this regard.

      Thanks in advance,
      Mounika

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP