OID-OIM user reconciliation
Hi All,
Today I would like to cover how to configure OID-OIM user reconciliation and the issue details which I faced during reconciliation.
Environment Details:
Oracle application server 10.1.3.3, OIM 9.1.0.3 and OID 10.1.4.3 are running in same box. Recently we have imported more than 1L users into OID and after we were tried to reconciliation user data from OID to OIM.
How to Configuring Trusted Source Reconciliation:
First target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:
- For each newly created user on the target system, an OIM User is created.
- Updates made to each user on the target system are propagated to the corresponding OIM User.
Configuring trusted source reconciliation involves the following steps:
- Import the XML file for trusted source reconciliation, oimUser.xml, by using the Deployment Manager.
Note: Only one target system can be designated as a trusted source. If you import the oimUser.xml file while you have another trusted source configured, then both connector reconciliations would stop working. If you want to designated another source as trusted source then set the TrustedSource scheduled task attribute to “false”. Now OIM will allow to accept the new trusted source configuration.
2. To import the XML file for trusted source reconciliation:
- Open the OIM Administrative and User Console.
- Click the Deployment Management link on the left navigation bar.
- Click the Import link under Deployment Management. A dialog box for opening files is displayed.
- Locate and open the oimUser.xml file, which is in the OIM_HOME/xellerate/OID/xml directory. Details of this XML file are shown on the File Preview page.
- Click Add File. The Substitutions page is displayed.
- Click Next. The Confirmation page is displayed.
- Click Import.
3. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
Note: Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change. Values (either default or user-defined) must be
assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.
4. Configuring the Reconciliation Scheduled Tasks
- Open the Oracle Identity Manager Design Console.
- Expand the Resource management.
- Select manage schedule task
- Find OID user recon. Click and edit the attributes values according to your environment.
| Attribute | Description | Default/Sample Value |
| ITResourceName | Name of the IT resource for setting up a connection to Oracle Internet Directory | OID Server |
| ResourceObjectName | Name of the resource object into which users are to be reconciled | OID User |
| XLDeleteUsersAllowed | If this attribute is set to true, then the Delete reconciliation event is started when the scheduled task is run. Users who are deleted from the target system are removed from Oracle Identity Manager. This requires all the users on the target system to be compared with all the users in Oracle Identity Manager. | true or false |
| UserContainer | DN value from where the users are reconciled from the target system to Oracle Identity Manager | cn=users,dc=hostname,dc=com |
| Keystore | Directory path to the Oracle Internet Directory keystore | [None] |
| TrustedSource | Specifies whether or not reconciliation is to be performed in trusted mode | True or False |
| Organization | Default organization of the Xellerate User (OIM User) | Xellerate Users |
| Xellerate Type | Default xellerate type for the Xellerate User (OIM User) | End-User Administrator |
| Role | Default role for the Xellerate User (OIM User) | Consultant |
| PageSize | This attribute is used for paged reconciliation. During a reconciliation run, the total set of records to be reconciled is divided into pages and the PageSize attribute specifies the number of records that must constitute one page. It is recommended that you set a page size between 100 and 1000. | 100 |
5. After you specify values for these scheduled task attributes, enable the schedule task the run.
Following issues which I faced during reconciliation.
Issue 1:
ERROR,05 Jun 2012 17:00:36,462,[XELLERATE.SERVER],Class/Method: tcUSR/validateRoleAndXellerateType Error :Role value provided by the user doesnot exist in the database.
Cause: Specified role in schedule task does not exist in lookup table(Lookup.Users.Role).
Solution: Correct the role as same as lookup table value.
Issue 2:
ERROR,05 Jun 2012 16:44:16,496,[XL_INTG.OID],tcUtilLDAPOperations: NamingException: Unable to search LDAP[LDAP: error code 53 - Function Not Implemented]
ERROR,05 Jun 2012 16:44:16,496,[XL_INTG.OID],Exception at the end in OID:tcTskOIDUserReconciliation:processChange(): tcUtilLDAPOperations: NamingException : Unable to search LDAP [[LDAP: error code 53 - Function Not Implemented]]
Cause: OIM reconcile only the data which is modified after Last Trusted Recon TimeStamp date stored in OID IT resource. If OIM unable to search this value in OID then above error will get.
Solution: Clear the value of Last Trusted Recon TimeStamp attribute in OID IT resource and reconciliation.
About the Author sarath
An Oracle Identity and Access Management professional, having working on Oracle Access Manager Single Sign-On implementations, Installation/Configuration of Identity Server, Web Pass, Web Gate, Access Gate, Policy Manager, Access Server, Policy Domains, Authentication /Authorization schemes, Single Sign-On (single and multi-domain), OIM, OVD, OID, OAAM, OIF, High Availability/Failover/ SSL deployment.