Users not synced from OID to OIM : Debug Scheduled Job

This post covers steps to debug reconciliation issues for Users/Roles from LDAP server to OIM 11g.

Users between OIM 11g and OID (or other LDAP Servers) can be synchronised either using LDAPSync  (For LDAPsync with OVD check here ) or using OIM connectors (For OID connector click here).

I recently integrated OIM with OID using LDAPSync and then configured OIM to reconcile users from identity store (OID in my case). As part of this integration I also successfully executed scheduled job “LDAP  User Create and Update Full Reconciliation” (This scheduled job is required to run once that will bring all existing users from OID in to OIM). As part of this Job (Full Reconciliation), all users in Identity Store (OID or other LDAP Server) should be be synchronized to OIM.

 

 

In my case even after full user reconciliation (LDAP User Create and Update Full Reconciliation), some users like weblogic_idm, oamADMIN, or oamLDAP created as part of OIM/OAM integration were missing in OIM. (more on OIM/OAM integration here and here)

There were no errors in OIM managed servers logs and scheduled job LDAP User Create and Update Full Reconciliation completed with success.

 

How to troubleshoot User/Role synchronization issue in OIM ?

If you hit this or similar problem then configure logging in OIM. There are two type of logging in OIM, ODL (Oracle Diagnostic Logging) and log4j

Configure ODL for logger xellerate.scheduler and xellerate.scheduler.task in logging.xml

1. Open file $DOMAIN_HOME/ config/ fmwconfig/ servers/<OIM SERVER>/logging.xml

and add entry like

<logger name=’XELLERATE.SCHEDULER’ level=’TRACE:32′ useParentHandlers=’false’>
<handler name=’odl-handler’/>
<handler name=’console-handler’/>
</logger><logger name=’XELLERATE.SCHEDULER.TASK’ level=’TRACE:32′ useParentHandlers=’false’>
<handler name=’odl-handler’/>
<handler name=’console-handler’/>
</logger>

 

 

2. Restart OIM Managed Server

3. Run scheduled job LDAP User Create and Update Full Reconciliation

4. Check log file $DOMAIN_HOME/ servers/ <oim_server1>/ logs/ oim-server1-diagnostic.log

In my case error message looks like

____

[2012-06-08T13:03:18.370+00:00] [oim_server1] [NOTIFICATION] [IAM-5010000] [oracle.iam.reconciliation.impl] [tid: OIMQuartzScheduler_Worker-7] [userId: oiminternal] [ecid: 34eea5fc76281eb7:-4d17507:137cc2d7dca:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] Generic Information: createEvent Input Data : {uid=weblogic_idm, mail=weblogic_idm, sn=weblogic_idm, cn=weblogic_idm, orclguid=C1CCB6F162029494E0408E51846D40A9, Organization Name=Xellerate Users, OIM User Type=End-User, givenname=weblogic_idm, dn=cn=weblogic_idm, cn=Users,dc=focusthread, dc=com, employeetype=Full-Time}[[
eventAttribs : serialVersionUID:1357809523267688155 dateFormat:yyyy/MM/dd HH:mm:ss z changeType:REGULAR eventFinished:true actionDate:null
]]

 

[2012-06-12T16:14:27.312+00:00] [oim_server1] [NOTIFICATION] [IAM-0080006] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 34eea5fc76281eb7:-7b86137: 137cce34de8:-8000-0000000 000000002,0] [APP: oim#11.1.1.3.0] Orchestration process moved to failed stage, and the corresponding error is – {0}[[oracle.iam.platform. kernel.EventFailedException: IAM-3051103: The create operation on user entity failed in action stage.:
at oracle.iam.identity.usermgmt. utils.UserManagerUtils. createEventFailedException(UserManagerUtils.java:650)
at oracle.iam.identity. usermgmt.utils.UserManager Utils.createEventFailedException (UserManagerUtils.java:675)
at oracle.iam. identity.usermgmt. impl.handlers.create. CreateUserActionHandler.execute (CreateUserActionHandler.java:184)
at oracle.iam.identity. usermgmt.impl.handlers. create.CreateUserActionHandler. execute(CreateUserActionHandler.java:68)

[2012-06-12T16:14:27.553+00:00] [oim_server1] [NOTIFICATION] [IAM-5010006] [oracle.iam.reconciliation.impl] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 34eea5fc76281eb7:-7b86137:137cce34de8:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] The following exception occurred: {0}[[oracle.iam.reconciliation. exception.CreateUserException: oracle.iam.platform. kernel.EventFailedException: IAM-3051103:The create operation on user entity failed in action stage.:at oracle.iam.reconciliation. impl.UserHandler.create(UserHandler.java:155) at oracle.iam. reconciliation.impl.UserHandler.applyRule(UserHandler.java:91)
at oracle.iam. reconciliation.impl. UserHandler.process (UserHandler.java:66) at oracle.iam. reconciliation. impl.ActionEngine. processEvent(ActionEngine.java:19

______

Root Cause : This issue could be for number of reasons, In my case difference between users synchronized to OIM and to those not synchronized with OIM is that some users had attribute email in OID as without . and

Fix: Update Attribute email in OID to a valid email address or remove value from attribute email and run Full Reconciliation Job again.

 

 

After updating email address

 

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

18 comments
chandra says June 13, 2012

Hi Atul,

Recently i have integrated the OID 11.1.1.6 with the AD 2008. Can you let me know what is the user/purpose of OIM(oracle identity manager) which is part of OAM(oracle access manager)

Reply
chandra says June 14, 2012

Hi Atual,

Thanks for your reply. I have used DIP as it comes by default once you install OID. can you provide me with the steps to integrate identity manager and OID.

Reply
samita mishra says June 14, 2012

I am planning to join. @ 2012/06/14 16:59:50

Reply
samita mishra says June 14, 2012

I am planning to join. @ 2012/06/14 17:03:03

Reply
gadba says October 9, 2012

Hello,
I wonder whether you have had the success on the incramental job ”LDAP User Create and Update Reconciliation”. it does not work on the my both oim 11.1.1.5.0 and 11.1.1.5.4 instances. There is the note: Recon Job “LDAP User Create And Update Reconciliation” Not Working (Doc ID 1455989.1) and the patch 12974293 for. But after having the patch applied on the both, job still does not work.
The full version job works fine on the both.

Reply
abhinay_a says January 23, 2013

Hi Atul,

I am not able to find the schedule job “LDAP User Create and Update Full Reconciliation” in OIM 11g R2. I am enabling LDAP sync post installation

I facing errors while executing
For reconciliation jobs, seed the LDAP Reconciliation jobs or Load LDAP Recon jobs into Quartz tables, which are part of Oracle Identity Manager schema. To do so:

Seed the LDAP Recon jobs by using the patch_weblogic.sh MDS utility available in OIM_HOME/bin/.

Note:
In a text editor, open the $OIM_ORACLE_HOME/server/bin/weblogic.profile file, and enter values for the properties before executing the patch_weblogic.sh script.

Set ANT_HOME and JAVA_HOME accordingly.

Create a backup of a $OIM_ORACLE_HOME/server/setup/deploy-files/setup.xml.

In a text editor, open the $OIM_ORACLE_HOME/server/setup/deploy-files/setup.xml file.

If the target for seeding Recon jobs is commented by default, then uncomment the following and have only that target in that file to seed the reconciliation jobs:

== Uncomment this line.

Regards
A Abhinay

Reply
    Atul Kumar says January 23, 2013

    @abhinay,
    Did you select LDAP sync during OIM configuration ?

    Reply
abhinay_a says January 23, 2013

@Atul

No
I am going for Post installation of LDAP sync

Reply
    Atul Kumar says January 24, 2013

    @ abhinay_a,
    These LDAP sync jobs will come only when you configure LDAPSync

    Reply
abhinay_a says February 11, 2013

@Atul

I have seeded the recon jobs into OIM. Provisioning is working fine.
When i execute the schedule job for recon i get
[2013-02-10T21:54:54.583+11:00] [oim_server1] [ERROR] [] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-4] [userId: oiminternal] [ecid: 0000Jl74JO7F^6r_GHFg6f1Gxt46000002,1:27814] [APP: oim#11.1.2.0.0] An error occurred while searching the entity in LDAP, and the corresponding error is – {0}[[
javax.naming.NameNotFoundException: [LDAP: error code 32 – LDAP Error 32 : No Such Object]; remaining name ‘cn=users,dc=External,dc=randl,dc=com’
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1091)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.list(LDAPDataProvider.java:2736)
at oracle.iam.ldapsync.scheduletasks.user.LDAPUserFullReconTask.execute(LDAPUserFullReconTask.java:87)
at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)

Reply
    Atul Kumar says February 11, 2013

    @abhinay_a,
    Did you run full recon or incremental recon ?

    Did you run full recon before doing incremental recon ?

    Reply
abhinay_a says February 11, 2013

@atul
i am running full recon
LDAP User Create and Update Full Reconciliation

Reply
sujju says June 5, 2014

Hi Atul,

We see that the password does successfully get changed in LDAP when the administrator changes their password.
When the user tries to log in to OIM, we see that the LDAP BIND is successful, although OIM shows an error “Invalid Credentials”
The user can successfully log in to other applications that use the same LDAP for authentication using the password set by the administrator, confirming the password change in LDAP is successful.

however after 15-20 mins user can able to login to OIM. why this 20 min delay is happening?

Reply
anshuman says November 7, 2014

Hi Atul,

I am getting the below mentioned error while trying to start OIM Managed server in version 11.1.1.5.0.

<Login Exception encountered when trying to login as admin {0}
javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User
oiminternal javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User oiminternal denied
at weblogic.security.auth.login.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:199)

The impact of this error is as below :

After LDAP Sync the scheduler services had run successfully.

Please help me on this.

Reply
AjayDBA says October 1, 2015

Hi Atul,

I am new to IDAM environment and client which i support has integrated environment. We have EBS as master source of truth. User is created in EBS then it will flow to OID and then to OIM. I would like to know how can i track the user creation and flow from backend ? Which logs will indicate such successful operation ?

Many thanks in advance!!!
Regards,
AjayDBA

Reply
AjayDBA says October 1, 2015

Hi Atul,

I am new to IDAM environment and client which i support has integrated environment. We have EBS as master source of truth. User is created in EBS then it will flow to OID and then to OIM. I would like to know how can i track the user creation and flow from backend ? Which logs will indicate such successful operation ?

Many thanks in advance!!!
Regards,
AjayDBA

Reply
Add Your Reply