OID-OIM user reconciliation

Hi All,

 Today I would like to cover how to configure OID-OIM user reconciliation and the issue details which I faced during reconciliation.

 Environment Details:

Oracle application server 10.1.3.3, OIM 9.1.0.3 and OID 10.1.4.3 are running in same box. Recently we have imported more than 1L users into OID and after we were tried to reconciliation user data from OID to OIM.

 How to Configuring Trusted Source Reconciliation:

First target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

  • For each newly created user on the target system, an OIM User is created.
  • Updates made to each user on the target system are propagated to the corresponding OIM User.

 Configuring trusted source reconciliation involves the following steps: 

  1. Import the XML file for trusted source reconciliation, oimUser.xml, by using the Deployment Manager.

Note: Only one target system can be designated as a trusted source. If you import the oimUser.xml file while you have another trusted source configured, then both connector reconciliations would stop working. If you want to designated another source as trusted source then set the TrustedSource scheduled task attribute to “false”.  Now OIM will allow to accept the new trusted source configuration.

     2.    To import the XML file for trusted source reconciliation:

  • Open the OIM Administrative and User Console.
  • Click the Deployment Management link on the left navigation bar.
  • Click the Import link under Deployment Management. A dialog box for opening files is displayed.
  • Locate and open the oimUser.xml file, which is in the OIM_HOME/xellerate/OID/xml directory. Details of this XML file are shown on the File Preview page.
  • Click Add File. The Substitutions page is displayed.
  • Click Next. The Confirmation page is displayed.
  • Click Import.

      3.       In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

Note: Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change. Values (either default or user-defined) must be

 assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

        4.       Configuring the Reconciliation Scheduled Tasks

  • Open the Oracle Identity Manager Design Console.
  • Expand the Resource management.
  • Select manage schedule task
  • Find OID user recon. Click and edit the attributes values according to your environment.
Attribute Description Default/Sample Value
ITResourceName Name of the IT resource for setting up a connection to Oracle Internet Directory OID Server
ResourceObjectName Name of the resource object into which users are to be reconciled OID User
XLDeleteUsersAllowed If this attribute is set to true, then the Delete reconciliation event is started when the scheduled task is run. Users who are deleted from the target system are removed from Oracle Identity Manager. This requires all the users on the target system to be compared with all the users in Oracle Identity Manager. true or false
UserContainer DN value from where the users are reconciled from the target system to Oracle Identity Manager cn=users,dc=hostname,dc=com
Keystore Directory path to the Oracle Internet Directory keystore [None]
TrustedSource Specifies whether or not reconciliation is to be performed in trusted mode True or False
Organization Default organization of the Xellerate User (OIM User) Xellerate Users
Xellerate Type Default xellerate type for the Xellerate User (OIM User) End-User Administrator
Role Default role for the Xellerate User (OIM User) Consultant
PageSize This attribute is used for paged reconciliation. During a reconciliation run, the total set of records to be reconciled is divided into pages and the PageSize attribute specifies the number of records that must constitute one page. It is recommended that you set a page size between 100 and 1000. 100

       5.       After you specify values for these scheduled task attributes, enable the schedule task the run.

Following issues which I faced during reconciliation.

Issue 1:

 ERROR,05 Jun 2012 17:00:36,462,[XELLERATE.SERVER],Class/Method: tcUSR/validateRoleAndXellerateType Error :Role value provided by the user doesnot exist in the database.

 Cause: Specified role in schedule task does not exist in lookup table(Lookup.Users.Role).

Solution: Correct the role as same as lookup table value.

 Issue 2:

 ERROR,05 Jun 2012 16:44:16,496,[XL_INTG.OID],tcUtilLDAPOperations: NamingException: Unable to search LDAP[LDAP: error code 53 - Function Not Implemented]
 ERROR,05 Jun 2012 16:44:16,496,[XL_INTG.OID],Exception at the end in OID:tcTskOIDUserReconciliation:processChange(): tcUtilLDAPOperations: NamingException : Unable to search LDAP [[LDAP: error code 53 - Function Not Implemented]]

 Cause: OIM reconcile only the data which is modified after Last Trusted Recon TimeStamp date stored in OID IT resource. If OIM unable to search this value in OID then above error will get.

Solution: Clear the value of Last Trusted Recon TimeStamp attribute in OID IT resource and reconciliation.

About the Author sarath

An Oracle Identity and Access Management professional, having working on Oracle Access Manager Single Sign-On implementations, Installation/Configuration of Identity Server, Web Pass, Web Gate, Access Gate, Policy Manager, Access Server, Policy Domains, Authentication /Authorization schemes, Single Sign-On (single and multi-domain), OIM, OVD, OID, OAAM, OIF, High Availability/Failover/ SSL deployment.

Leave a Comment:

5 comments
Priya says August 30, 2013

I am trying to integrate OIM with OID but got stuck up with the following error

Wonder if you could kindly comment. on it. Appreciate the response.

while running the OID Connector Group Lookup Reconciliation task
I am getting this error
org.identityconnectors.framework.common.exceptions.ConfigurationException: Bundle oimjar://local:0ldapbp.jar is missing required attribute ‘ConnectorBundle-FrameworkVersion’.

I ‘ve done the Pre & Post installation task of the connector software (OID-11.1.1.6.0.zip) without any Issue.

Here is the IT resource Details and Parameters that i configured.

Parameter Value
Configuration Lookup Lookup.OID.Configuration
Connector Server Name
baseContexts “dc=oracle,dc=com”
credentials ********
failover
host idm.oracle.com
port 3060
principal cn=orcladmin
ssl false

also Extracted ldap.jar and ldapbp.jar
from the lib directory of ldap-1_2_4.zip. and copied these two jar files to
the $OIM_ORACLE_HOME/server/ThirdParty directory AND run the PurgeCache.sh all without any issue.

Also there is no issue with oid server as ldapbind is successful.

Could you tell what am missing here.

Thanks
Priya

Reply
Arunkumar R says September 29, 2014

Hi Priya,

This issue will because of the Manifest file present in the jar file.

If you downloaded the jar, and then you explode jar to add some file and then making this jar file again. The Manifest file will get override.

While creating a jar file it will overwrite the existing Manifest file and adding new one.

What is the command you are using for creating the jar file ?

Please use following command to create a jar file:

jar cmf existing-manifest jar-file input-file(s)

Also you can refer the following link for more information:

http://docs.oracle.com/javase/tutorial/deployment/jar/build.html

Let me know if you have any queries.

Regards,
Arunkumar R

Reply
Priya says October 6, 2014

Hi Arun,

Thanks for the response. But it’s over an year late.
never mind. !

Would you mind suggesting how to Implement SOD (SEGREGATION OF DUTIES) with OIM 11G r2 Integration with EBS r12. like installing UM & ER connectors.
i can install the ER & um connectors. But i am not able to understand how to fully Implement the SOD with oim integration with EBS & AD.

Any Doc. explaining a bit more detail Objectively on it would be of great help.

Would be waiting to get Enlighten from you on it.

Thanks
Priya

Reply
Arunkumar R says October 7, 2014

Hi Priya,

Have you gone through this following document,

http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/segduties.htm#CIHBFEHB

Configuring the SoD Engine

[http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/segduties.htm#CIHBGIIE]

22.5.1 Configuring Oracle Application Access Controls Governor

[http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/segduties.htm#CIHIDCIF]

22.5.2 Configuring SAP GRC

[http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/segduties.htm#CIHBABCE]

Regards
Arunkumar R

Reply
cbsingh says July 24, 2015

I have installed the OUD and when running the “LDAP Connector OU Lookup Reconciliation” got the below error message:
Failed: Error Message cannot be retrieved.

Please help why getting this issue.

Reply
Add Your Reply

Not found