User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM is not locked in OIM
When you enable LDAPSync (More on LDAPSYnc here, here, and here ) in OIM 11g (LDAPSync is mandatory to integrate OIM with OAM for SSO), users updated in LDAP (OID) are synced to OID using scheduled task “LDAP User Create and Update Reconciliation”
When user types wrong passwords 5 times in OAM or OAAM login screen (For OAAM login flow when integrated with OAM using TAP click here), users account is locked in OAM (more on Account Lockout here and here ) by updating attribute obLoginTryCount and obLockOutTime . On locking users account in OAM, these attributes should update Account Lock/Unlock button in OIM . (You should see Unlock Account Button , that means account is locked. If you see button Unlock Account that means account is locked in OIM).
If you see that in OIM Account Lock is not working or user is not synced then check “Last Change Number” for Job “LDAP User Create and Update Reconciliation“, If you see value 999 and if this value doesn’t change with next run of Job (This job is scheduled to run every 5 minutes) then check last change log number from LDAP (OID)
- For steps on how to find latest change number from OID, click here and update this number in scheduled task.
From now onwards every account locked in OAM (via attribute obLoginTryCount) should lock account in OIM. When an administrator click on Unlock button in OIM then it should unlock account in OAM (reset obLoginTryCount and obLockOutTime to null in LDAP/OID)