If you wish to synchronize user’s password from Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) then you must install  Microsoft Active Directory Password Synchronization connector

This post covers things you must know regarding Microsoft Active Directory Password Synchronization

  • For Connector basics : ResourcesReconciliation, and Provisioning click here
  • For more information on type of connectors Java vs .NET (dot net) click here
  • For OIM connectors for Microsoft (Active DirectoryExchange, andWindows) click here
  • For OIM-OID connector architecture click here
  • For OIM-Oracle eBusiness Suite connector click here
  • For latest version of MS-AD password Sync and patch click here
Things you must know for Microsoft Active Directory Password Synchronization connector
  1. For Microsoft Active Directory Password Synchronization connector , Microsoft Active Directory User Management (UM) connector is pre-requisite. (You must first install Microsoft Active Directory User Management connector)
  2. Microsoft Active Directory User Management connector’s latest version (as of Sep 2012) is 11.1.1.5 where as Microsoft Active Directory Password Synchronization connector’s latest version (as of Sep 2012) is 9.1.1.5
  3. You can configure OIM 11g with Microsoft Active Directory User Management (MS-UM) 11.1.1.5 and  Microsoft Active Directory Password Synchronization 9.1.1.5
  4. Microsoft Active Directory Password Synchronization connector must be installed on Windows Active Directory Domain Controller machine
  5. If AD domain controller is running on multiple machines (for high availability/resilience) then you must install password synchronization connector on each domain controller machine
  6. MS-AD Password Synchronization Connector configuration is stored in registry HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync
  7. For Active Directory related configuration : HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ ADConfig

  8. ADPersistentStore is OU in Active Directory that will store data for users whose password can’t be synced from AD to OIM for various reasons (OIM not available, user not available in OIM etc).
  9. Change value of Log from N to Y , if you wish to enable logging in password synchronization (by default logging is disabled)
  10. LogPath represents directory in which logs are enabled (to enable logging set value of field Log to Y )
  11. For OIM related configuration: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ OIMConfig
  12. OIMhost is hostname where OIM managed server is running (For High Availability use load balancer name here)
  13. OIMPort is port on OIM managed server  is running (For High Availability use port number on which load balancer is configured)
  14. To disable Password Synchronization connector, set value of Disabled to 1 (0 means password synchronization is enabled)
  15. To enable logging for OIM related events set value of parameter OIMLog to Y , You will see file [TIME_STAMP]OIMMain.log
  16. AD will communicate to OIM server via SPML Web Service (WS) SOAP request over HTTP(S) like http(s)://OIMHost:OIMPort/spmlws/OIMProvisioning for OIM on WebLogic Server(Make sure to deploy SPML-DSML application on OIM Managed Server and application is in ACTIVE state)
  17. In [TIME_STAMP]OIMMain.logyou should see calls likeDebug [2/20/2002 12:54:42 AM] The SOAP start element is 
    Debug [2/20/2002 12:54:42 AM] <processRequest xmlns=””><sOAPElement>
    Debug [2/20/2002 12:54:42 AM] The SOAP end element is 
    Debug [2/20/2002 12:54:42 AM] </sOAPElement></processRequest>
    Debug [2/20/2002 12:54:42 AM] The path is 
    Debug [2/20/2002 12:54:42 AM] /spmlws/OIMProvisioning
    Debug [2/20/2002 4:54:53 PM] <env:Envelope xmlns:soapenc=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”><env:Header/><env:Body env:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><m:processRequestResponse xmlns:m=”http://xmlns.oracle.com/OIM/provisioning”><setPasswordResponse xmlns=”urn:oasis:names:tc:SPML:2:0:password”</setPasswordResponse></m:processRequestResponse></env:Body></env:Envelope>
  18. For connector installer related configuration HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ Install

 

More on Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know in Part II

 

  • For latest version of MS-AD password Sync and patch click here

Share any tips/key point related to OIM’s Microsoft Active Directory Password  Synchronization by leaving comment