• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Users not synced from OID to OIM : Debug Scheduled Job

    Posted by "" in "identity_manager, troubleshooting, Uncategorized" on 2012-06-13

    This post covers steps to debug reconciliation issues for Users/Roles from LDAP server to OIM 11g.

    Users between OIM 11g and OID (or other LDAP Servers) can be synchronised either using LDAPSync  (For LDAPsync with OVD check here ) or using OIM connectors (For OID connector click here).

    I recently integrated OIM with OID using LDAPSync and then configured OIM to reconcile users from identity store (OID in my case). As part of this integration I also successfully executed scheduled job “LDAP  User Create and Update Full Reconciliation” (This scheduled job is required to run once that will bring all existing users from OID in to OIM). As part of this Job (Full Reconciliation), all users in Identity Store (OID or other LDAP Server) should be be synchronized to OIM.

     

     

    In my case even after full user reconciliation (LDAP User Create and Update Full Reconciliation), some users like weblogic_idm, oamADMIN, or oamLDAP created as part of OIM/OAM integration were missing in OIM. (more on OIM/OAM integration here and here)

    There were no errors in OIM managed servers logs and scheduled job LDAP User Create and Update Full Reconciliation completed with success.

     

    How to troubleshoot User/Role synchronization issue in OIM ?

    If you hit this or similar problem then configure logging in OIM. There are two type of logging in OIM, ODL (Oracle Diagnostic Logging) and log4j

    Configure ODL for logger xellerate.scheduler and xellerate.scheduler.task in logging.xml

    1. Open file $DOMAIN_HOME/ config/ fmwconfig/ servers/<OIM SERVER>/logging.xml

    and add entry like

    <logger name=’XELLERATE.SCHEDULER’ level=’TRACE:32′ useParentHandlers=’false’>
    <handler name=’odl-handler’/>
    <handler name=’console-handler’/>
    </logger><logger name=’XELLERATE.SCHEDULER.TASK’ level=’TRACE:32′ useParentHandlers=’false’>
    <handler name=’odl-handler’/>
    <handler name=’console-handler’/>
    </logger>

     

     

    2. Restart OIM Managed Server

    3. Run scheduled job LDAP User Create and Update Full Reconciliation

    4. Check log file $DOMAIN_HOME/ servers/ <oim_server1>/ logs/ oim-server1-diagnostic.log

    In my case error message looks like

    ____

    [2012-06-08T13:03:18.370+00:00] [oim_server1] [NOTIFICATION] [IAM-5010000] [oracle.iam.reconciliation.impl] [tid: OIMQuartzScheduler_Worker-7] [userId: oiminternal] [ecid: 34eea5fc76281eb7:-4d17507:137cc2d7dca:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] Generic Information: createEvent Input Data : {uid=weblogic_idm, mail=weblogic_idm, sn=weblogic_idm, cn=weblogic_idm, orclguid=C1CCB6F162029494E0408E51846D40A9, Organization Name=Xellerate Users, OIM User Type=End-User, givenname=weblogic_idm, dn=cn=weblogic_idm, cn=Users,dc=focusthread, dc=com, employeetype=Full-Time}[[
    eventAttribs : serialVersionUID:1357809523267688155 dateFormat:yyyy/MM/dd HH:mm:ss z changeType:REGULAR eventFinished:true actionDate:null
    ]]

     

    [2012-06-12T16:14:27.312+00:00] [oim_server1] [NOTIFICATION] [IAM-0080006] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 34eea5fc76281eb7:-7b86137: 137cce34de8:-8000-0000000 000000002,0] [APP: oim#11.1.1.3.0] Orchestration process moved to failed stage, and the corresponding error is – {0}[[oracle.iam.platform. kernel.EventFailedException: IAM-3051103: The create operation on user entity failed in action stage.:
    at oracle.iam.identity.usermgmt. utils.UserManagerUtils. createEventFailedException(UserManagerUtils.java:650)
    at oracle.iam.identity. usermgmt.utils.UserManager Utils.createEventFailedException (UserManagerUtils.java:675)
    at oracle.iam. identity.usermgmt. impl.handlers.create. CreateUserActionHandler.execute (CreateUserActionHandler.java:184)
    at oracle.iam.identity. usermgmt.impl.handlers. create.CreateUserActionHandler. execute(CreateUserActionHandler.java:68)

    [2012-06-12T16:14:27.553+00:00] [oim_server1] [NOTIFICATION] [IAM-5010006] [oracle.iam.reconciliation.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 34eea5fc76281eb7:-7b86137:137cce34de8:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] The following exception occurred: {0}[[oracle.iam.reconciliation. exception.CreateUserException: oracle.iam.platform. kernel.EventFailedException: IAM-3051103:The create operation on user entity failed in action stage.:at oracle.iam.reconciliation. impl.UserHandler.create(UserHandler.java:155) at oracle.iam. reconciliation.impl.UserHandler.applyRule(UserHandler.java:91)
    at oracle.iam. reconciliation.impl. UserHandler.process (UserHandler.java:66) at oracle.iam. reconciliation. impl.ActionEngine. processEvent(ActionEngine.java:19

    ______

    Root Cause : This issue could be for number of reasons, In my case difference between users synchronized to OIM and to those not synchronized with OIM is that some users had attribute email in OID as without . and

    Fix: Update Attribute email in OID to a valid email address or remove value from attribute email and run Full Reconciliation Job again.

     

     

    After updating email address

     

     

    Related Posts for Identity Manager


    1. Oracle Identity Manager (User Provisioning – Thor)
    2. Installing Oracle Identity Manager (Thor Xellerate)
    3. Oracle Identity Manager 9.1 released
    4. Oracle Identity Manager (Thor Xellerate) Architecture
    5. Resource, Reconciliation, Provisioning and Connector in Oracle Identity Manager #OIM
    6. Oracle Identity Manager (OIM) Connector for Oracle Internet Directory (OID) : Architecture and Overview
    7. Step by Step Installation of OIM Design Console 9.1.0
    8. Error while running PurgeCache in OIM 11g : LoginException unable to find LoginModule class : WebLogic Full Clinet
    9. Integrate OIM 11g with OID using connector for Provisioning / Reconcilliation – Installation
    10. PurgeCache in OIM 11g : CategoryName
    11. OIM LDAP Sync : Overview and Key Points
    12. OIM 11g : How to export/import/delete Files from MDS
    13. Where are OAM details stored in OIM (account unlock, password reset)
    14. libOVD adapters in OIM LDAP Integration : LDAPsync – view and modify Adapter settings (bindDN and bindPassword)
    15. Error Starting OIM Design Console (xlclient.sh) on Linux java.lang. NoClassDefFoundError
    16. OIM 11g Challenge Questions (PCQ) for forgot password
    17. Oracle EBS Integration with OIM (Identity Manager) : Things you should know
    18. Users not synced from OID to OIM : Debug Scheduled Job
    19. OIM Connector for Microsoft : AD, Exchange, Windows, Password Management
    20. Connector Server for OIM connectors : .NET or JAVA
    21. OIM 11g Challenge Questions – Everything you must know
    22. OIM 11g How to add Challenge Questions
    23. OIM : Assign AD resource : An error occurred because the Adapters are not compiled : How to compile adapters in OIM
    24. OIM User Creation : An Error occurred while performing create user operation. Unable to get LDAP connection
    25. OIM – AD integration : Active Directory Group Lookup Recon failed with error Remote Framework Key is invalid
    26. Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I
    27. Provision resource “Microsoft Exchange” to user in OIM : Status remains in Provisioning : Part I
    28. Target Resource (or Managed Resource) vs Trusted Source (or Authoritative Source) Mode : OIM integration with applications (AD, OID, OVD, EBS, SAP, HR, LDAP)
    29. 500 Internal server accessing OIM application : com.bea. security.MicroSM. getInstance oracle.iam. platform. authz.impl
    30. Your account is locked. You can unlock your account by going to Forgot Password
    31. OIM 11g : How to find User and Manager details : USR table
    32. OIM 11g : User Detail/Attribute (Description) not visible in OIM User screen : EBS / OID / OIM integration
    33. OIM 11g: The add proxy operation for user XXXXX failed with following error oracle. bpel. services. workflow. client. workflowservieclientException javax.xml.ws.WebServiceException could not determine wsdl ports
    34. Oracle Identity Manager BP07 for 11gR1 PS1 11.1.1.5.7 (16097399) is now available – (Part of Identity Management SUite BP03 16209876)
    35. OIM 11g : SQL to List User’s Manager
    36. OIM integrated with OAM (SSO) showing OIM login screen : User Soft Locked
    37. OIM 11g: Beware if you are applying WebLogic patch !
    38. Help Me : Microsoft Active Directory Password Sync version and latest patch for Oracle Identity Manager 9.1.1.5
    39. Upgrade OIM connector for Microsoft Exchange to 11.1.1.6 Part I
    40. OIM Administrators : Is your OIM database Growing ? Do you purge enough ?
    41. EBS Integration with OIM : Employee Reconciliation : NumberFormatException: “BUSINESS_GROUP_ID”
    42. OIM EBS User Management : eBusiness UM Lookup Definition Reconciliation failed with Invalid Schedule Task Parameter

    14 Responses to “Users not synced from OID to OIM : Debug Scheduled Job”

    1. chandra says:

      Hi Atul,

      Recently i have integrated the OID 11.1.1.6 with the AD 2008. Can you let me know what is the user/purpose of OIM(oracle identity manager) which is part of OAM(oracle access manager)

    2. chandra says:

      Hi Atual,

      Thanks for your reply. I have used DIP as it comes by default once you install OID. can you provide me with the steps to integrate identity manager and OID.

    3. samita mishra says:

      I am planning to join. @ 2012/06/14 16:59:50

    4. samita mishra says:

      I am planning to join. @ 2012/06/14 17:03:03

    5. gadba says:

      Hello,
      I wonder whether you have had the success on the incramental job ”LDAP User Create and Update Reconciliation”. it does not work on the my both oim 11.1.1.5.0 and 11.1.1.5.4 instances. There is the note: Recon Job “LDAP User Create And Update Reconciliation” Not Working (Doc ID 1455989.1) and the patch 12974293 for. But after having the patch applied on the both, job still does not work.
      The full version job works fine on the both.

    6. abhinay_a says:

      Hi Atul,

      I am not able to find the schedule job “LDAP User Create and Update Full Reconciliation” in OIM 11g R2. I am enabling LDAP sync post installation

      I facing errors while executing
      For reconciliation jobs, seed the LDAP Reconciliation jobs or Load LDAP Recon jobs into Quartz tables, which are part of Oracle Identity Manager schema. To do so:

      Seed the LDAP Recon jobs by using the patch_weblogic.sh MDS utility available in OIM_HOME/bin/.

      Note:
      In a text editor, open the $OIM_ORACLE_HOME/server/bin/weblogic.profile file, and enter values for the properties before executing the patch_weblogic.sh script.

      Set ANT_HOME and JAVA_HOME accordingly.

      Create a backup of a $OIM_ORACLE_HOME/server/setup/deploy-files/setup.xml.

      In a text editor, open the $OIM_ORACLE_HOME/server/setup/deploy-files/setup.xml file.

      If the target for seeding Recon jobs is commented by default, then uncomment the following and have only that target in that file to seed the reconciliation jobs:

      == Uncomment this line.

      Regards
      A Abhinay

    7. abhinay_a says:

      @Atul

      No
      I am going for Post installation of LDAP sync

    8. abhinay_a says:

      @Atul

      I have seeded the recon jobs into OIM. Provisioning is working fine.
      When i execute the schedule job for recon i get
      [2013-02-10T21:54:54.583+11:00] [oim_server1] [ERROR] [] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-4] [userId: oiminternal] [ecid: 0000Jl74JO7F^6r_GHFg6f1Gxt46000002,1:27814] [APP: oim#11.1.2.0.0] An error occurred while searching the entity in LDAP, and the corresponding error is – {0}[[
      javax.naming.NameNotFoundException: [LDAP: error code 32 – LDAP Error 32 : No Such Object]; remaining name ‘cn=users,dc=External,dc=randl,dc=com’
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
      at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1091)
      at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.list(LDAPDataProvider.java:2736)
      at oracle.iam.ldapsync.scheduletasks.user.LDAPUserFullReconTask.execute(LDAPUserFullReconTask.java:87)
      at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
      at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
      at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
      at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
      at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
      at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
      at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
      at weblogic.security.Security.runAs(Security.java:41)
      at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
      at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
      at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
      at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)

    9. abhinay_a says:

      @atul
      i am running full recon
      LDAP User Create and Update Full Reconciliation

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP
    TOP