User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM is not locked in OIM

When you enable LDAPSync (More on LDAPSYnc here, here, and here ) in OIM 11g (LDAPSync is mandatory to integrate OIM with OAM for SSO), users updated in LDAP (OID) are synced to OID using scheduled task “LDAP User Create and Update Reconciliation


When user types wrong passwords 5 times in OAM or OAAM login screen (For OAAM login flow when integrated with OAM using TAP click here), users account is locked in OAM (more on Account Lockout  here and here ) by updating attribute obLoginTryCount and obLockOutTime . On locking users account in OAM, these attributes should update Account Lock/Unlock button in OIM . (You should see Unlock Account Button , that means account is locked. If you see button Unlock Account that means account is locked in OIM).

 

If you see that in OIM Account Lock is not working or user is not synced then check “Last Change Number” for Job “LDAP User Create and Update Reconciliation“, If you see value 999 and if this value doesn’t change with next run of Job (This job is scheduled to run every 5 minutes) then check last change log number from LDAP (OID)

 

  • For steps on how to find latest change number from OID, click here and update this number in scheduled task.

 

From now onwards every account locked in OAM (via attribute obLoginTryCount) should lock account in OIM. When an administrator click on Unlock button in OIM then it should unlock account in OAM (reset obLoginTryCount and obLockOutTime to null in LDAP/OID)

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

3 comments
begr says December 19, 2012

Hi!
As I read the manuals a stand-alone OIM allows a user (by means of self-service) to unlock an account (locked because of to many failed login attempts) by answering the KBAs.
But that is not true when integrating OIM/OAM/OAAM?
They have to call the support?

Reply
    Atul Kumar says December 19, 2012

    @ Begr,
    If OIM/OAM/OAAM is inetgarted properly and if user is locked by 5 failed attempts then user can reset password (and unlock locked account) by clicking forgot password link on OAAM login page (this is second page in OAAM login after username) . OAAM will prompt for answer to challenge question and if user answers correctly then it will reset password and unlock account.

    If this doesn’t work for you then look into OAAM and OIM logs and raise SR with Oracle.

    Atul

    Reply
Irfan Ahmed says May 2, 2017

Hi Atul,

I am facing similar issue , After 5 incorrect login attempt account gets locked in OUD but does not get sycn with OIM , The change log number is not getting updated in the reconciliation job. I see much higher change number in OUD . Restarting OUD resolves the issue , but this happened in PROD , any advice on this to find the root cause will he help full.

Reply
Add Your Reply

Not found