Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)

This is part VIII of step by step installation of Oracle Identity Management (OAM, OIM, OAAM, OAPM & OIN) which covers configuring  LDAP Sync with OIM 11g.

LDAP Sync with OIM 11g  :  OIM will sync users to LDAP (OID in this case) . OIM LDAP Synchronization will use OVD/OID to synchronize users from OIM to OID. LDAP Sync is mandatory for integration of Oracle Identity Manager (OIM) with Oracle Access Manager (OAM) .

  • For Part I Download Software and create Schema click here
  • For Part II Install WebLogic Server 10.3.3  click here
  • For Part III Install SOA Server and Upgrade to 11.1.1.3 click here
  • For Part IV Install IDAM 11.1.1.3 click he
  • For Part V Create Domain for OIM, OAM, OAAM, OAPM & OIN here
  • For Part VI Configure Identity Manager click here
  • For Part VII Configure OIM Design Console click here

.
Requirement : OIM (11g R1) LDAP Sync requires Oracle Virtual Directory (OVD) and Oracle Internet Directory.  (In this release of OIM, LDAP sync is limited to OID server)

What happens when you configure LDAP Sync in OIM 11g ? – Configuration process creates schema (objectclass) in OID for OIM & OAM. It also creates a IT Resource in OIM which will automatically synchronize user in OID when you create/modify/delete user in OIM.

.

High Level steps for LDAP Sync configuration with OIM

1. Run LDAP Pre Configuration Setup (on OIM Server)
2. Create two adapters in OVD (on OVD via ODSM)
3. Run LDAP Post Configuration Setup (on OIM Server)

.

OIM LDAP Sync configuration

1. Run LDAP Preconfiguration Utility

1.1
Edit $OIM_ORACLE_HOME/server/ldap_config_util/ldapconfig.props and add OIMProviderURL, OIDURL, OIDAdminUsername, OIDSearchBase, UserContainerName, RoleContainerName, ReservationContainerName

ReservationContainerName This is container name in OID in which users will stay who are created but not approved in OIM (once they are approved they will be moved to container represented by UserContainerName)
1.2 Set WL_HOME & JAVA_HOME

1.3 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPreSetup.sh (when prompted enter password of orcladmin)

Above command will
a) Extend OID schema using (More on OID Schema here )
i) oimadminuser.ldif, oimcontainers.ldif from $ORACLE_HOME/server/ldap_config_util
ii)  OID_oblix_schema_add.ldif, OID_oblix_schema_index_add.ldif, OID_oblix_pwd_schema_add.ldif from $ORACLE_HOME/oam/server/oim-intg/schema/  (Oblix Schema extenstion is required for OIM integration with OAM)

b) Create user oimadmin under cn=oim,cn=products,cn=oracleContext

____________

2. Create two LDAP adapters in OVD

To know more about adapters in OVD click here

2.2 Create adapter of type user_OID

2.2.1 Login to ODSM to connect to OVD (If you have installed OVD with default settings then use SSL port 8899 for OVD). More on ODSM here
2.2.2 Select Adapter tab in ODSM
2.2.3 Click Create Adapter button
2.2.4 In new Adapter Wizard select
Adapter Type : LDAP
Adapter Name : userOID
Adapter Template : user_OID
.

.
Add OID details under connection details (3060 is OID Port and 192.168.1.75 is OID Server IP)

.
Naming Space : dc=com (Realm Name aka OID domain in my case is com – Change this as per your OID settings)
.
.
2.3 Create Adapter of type changelog_OID
2.3.1 Select Adapter tab in ODSM
2.3.2 Click Create Adapter button


.
2.3 Change plug-in value (oamEnabled) of userOID adapter from false to true

2.3.1 From ODSM login to OVD -> Select Adapter -> select userOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change value of oamEnabled from false to true -> click OK -> Click Apply
.

.

2.4 Add/Modify plug-in parameter for changelogOID adapter

2.4.1 From ODSM login to OVD -> Select Adapter -> select changlogOID -> Select tab Plug-ins -> Select UserManagement -> Select Edit Plug-in/Mapping -> Change/Add value of parameter as shown below -> click OK -> Click Apply

directoryType – oid
mapAttribute – targetGUID=orclGUID
requiredAttribute – orclGUID
addAttribute – orclContainerOC,changelogSupported=1
modifierDNFilter – cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext
sizeLimit – 1000
targetDNFilter – dc=com   (Change this value as per your OID realm/domain)
mapUserState – true
oamEnabled – true

.
___________
3. Configure OIM for LDAP Synch
3.1 Run $ORACLE_HOME/bin/config.sh
3.2 Select OIM Server, follow post here  with exception of step 6 of 9

.

6501 is OVD’s non SSL LDAP Port .

.

Realm/domain for OID in my case is dc=com  (change this value as per your OID realm)
.

.
_________________

4. Run LDAP Post-Configuration Utility

4.1 Set WL_HOME & JAVA_HOME
4.2 Run $ORACLE_HOME/server/ldap_config_util/LDAPConfigPostSetup.sh (when prompted enter password of orcladmin & OIM Administrator i.e. XELSYSADM – OIM Managed Server oim_server1 should be running)

You should see message like “Succesfully Update Changelog based schedule jobs with change number : XXXX”
________________

5. Test LDAP Sync configuration
5.1 Login to OIM Administration Console (http://oimserver:14000/oim) and create a user
5.2 Login to OID via ODSM and check if this user is synchronized to OID
I encountered two issues while running LDAPConfigPostSetup.sh

Error 1 :

____________
javax.security.auth.login.LoginException: unable to find LoginModule class:
weblogic.security.auth.login.UsernamePasswordLoginModule        at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)        at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)        at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java
_____________

Fix 1 : Create wlfullclient.jar  . More information here
.
.

Error 2:
__________
java.lang.NullPointerException
at oracle.iam.platformservice.utils.
LDAPConfigPostSetup.updateLDAPSync
ScheduleJobs(LDAPConfigPostSetup.java:168)
at oracle.iam.platformservice.utils.LDAPConfig
PostSetup.main(LDAPConfigPostSetup.java:95)
__________

Fix 2 : Make sure that OIM is configured with LDAP Sync option (Follow step 3) before running LDAPConfigPostSetup.sh

.

References/Related

.

About the Author Masroof Ahmad

Leave a Comment:

128 comments
Kishore Rout says January 4, 2011

Hi Atul,
During OIM configuration step using the above procedure I got an error(LDAP Error-21,for attribure userPassword has no value-uid:xelsysadm). Do you have any idea about this error.

Reply
Atul Kumar says January 4, 2011

@ Kishore,
At which stage in above post you are hitting this error ?

Reply
Kishore Rout says January 4, 2011

Hi Atul,
Thanks for your reply. I have already done OIM configuration without LDAP sync. Now again I am trying to do LDAP sync. In the last step(last screen shot of the above post), when I am pressing configure button, after some time I am getting this above error.

Reply
Atul Kumar says January 4, 2011

@ Kishore,
Did you supply xelsysadm password while reconfiguring OIM as mentioned in below post

http://onlineappsdba.com/index.php/2010/08/23/part-vi-configure-identity-manager-oim-oracleidm-11g-step-by-step-installation-of-oam-oim-oaam-oapm-oin/

Enter XELSYSADM password same as password used during first configuration.

Reply
Kishore Rout says January 5, 2011

Hi Atul,
The step I am doing for LDAP SYNC:
1. Run $ORACLE_HOME/bin/config.sh
2. Select OIM Server
But in step 5, It’s not asking me OIM Administrator password and Confirm password. Those two fields are not coming on the screen only three fields are coming(OIM URL,keystore password and confirm password) . I think during second execution of the config.sh file, it’s checking OIM admin passowrd from some file, that’s why it’s not showing password field on the screen. Can I remove ../config/fmwconfig/.xldatabasekey before start of the config.sh in the 2nd time.
Please advise.

Reply
Atul Kumar says January 5, 2011

@ Kishore Rout,
I don’t think removing .xldatabasekey is going to help.

Try restarting admin Server and make sure OIM_server1 is down.

XELSYSADM user is stored in USR table under colum usr_login in OIM schema.

Reply
Kishore Rout says January 5, 2011

Hi Atul,
As suggested by you(restarting Admin server and OIM_server1 is down) I have done reconfiguration. But no luck, it’s not asking OIM Administrator’s password in step 5. I have checked backed log file,reconfiguration OIM server is upgrading the previous configration. so It’s not asking password. Any how thanks for your suggestion. I think the issue is with encryption of OIM schema.

Reply
jaffadog says January 24, 2011

Hello Atul – I’m puzzling over what options I have to get passwords into OIM when doing a new OIM deployment and reconciling existing/mature AD and OID directories into OIM. I have not tried it yet, but I gather passwords can’t be reconciled into OIM because they are stored one-way-hashed in the source directories. I gather there are two choices here: 1. administratively assign default new passwords to all accounts imported into OIM (and communicate these new passwords to the users); or 2. harvest the change password events using the AD pw-sync adapter and some custom change password screen for OID. Does the sync you describe above improve on these choices and provide a native solution to sync OID passwords into OIM? Are there any other approaches?

Reply
Atul Kumar says January 24, 2011

@ jaffadog,
What is version of your OID ? In 10g OID passwords were encrypted (possible to decrypt) where as in OID 11g they are one way hashed .

For AD did you look at AD password Synchronization connector at http://download.oracle.com/docs/cd/E11223_01/doc.910/e11218/overview.htm

How is OIM configured with both OID & AD – Reconciliation (Target resource reconciliation or Trusted Source Target resource reconciliation) or Provisioning ?

Reply
jaffadog says January 24, 2011

Hello Atul,

It’s OID 10.1.2 – so reversible encryption? Is there a utility? or java class? published api? standard passphrase?

I’ve looked at the AD password sync connector and plan to deploy it. The downsides here are: 1. that it’ll take 90 days (the AD password expiry policy) to harvest passwords for all the active accounts; and, 2. it has to be installed on the domain controllers (>40) and they each need to be restarted – which may well take a couple weeks in planning, change control, communication, etc… But I think I need it for the long-run.

I gather OIM the self-service “change password” facility will be non-functional until OIM gets the user passwords, right? this facility authenticates the current password against OIM, right? This is one of the drivers – as it appears this introduces an artificial wait period in the deployment schedule – we cant deploy OIM change-password until OIM has account passwords, and OIM passwords take 90 days to harvest from AD.

The intent is to initially reconcile OIM with AD and OID – to import all the existing accounts. Then switch to having OIM provision OID and AD as targets. Accounts would then be created manually (using OID), or by self-registration (using OID), or by trusted source reconciliation (HR database).

Reply
alexm says January 27, 2011

Hello Atul!

I have faced with problem like this:
http://forums.oracle.com/forums/thread.jspa?messageID=9317673

The user user12107187 could solve a problem, but I can’t get file LDAPContainerRules.xml with WSLT and exportMetadata. I don’t know parameters for this. Help me, please!

Reply
Atul Kumar says January 27, 2011

@ alexm,
This file is stored in database under MDS

First go through these two links

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/cust_ldap.htm LDAP Container Rules

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/utils.htm – MDS Utilities and User Modifiable Metadata Files

and then revert back if you still have doubts (read second link carefully)

Reply
alexm says January 27, 2011

Thank you, Atul!

I have checked up file LDAPContainerRules.xml – it’s valid. And I still have a problem. I have uploaded log file here: http://www.megaupload.com/?d=P6GQW8NV

I think that the problem is similar with described in the Metalink Note ID 1094593.1, because I have found this strings at the end of java errors stack:

Caused by: java.lang.IllegalArgumentException: Null input buffer
at javax.crypto.Cipher.doFinal(DashoA13*..)
at com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.decrypt(tcDefaultDBEncryptionImpl.java:219)
at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:100)
at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:127)
at com.oracle.oim.gcp.pool.ConnectionServiceUtility.getITResourceDetails(ConnectionServiceUtility.java:654)
at com.oracle.oim.gcp.pool.ConnectionServiceUtility.getITResourcePoolConfig(ConnectionServiceUtility.java:413)
at com.oracle.oim.gcp.pool.ConnectionServiceUtility.getPoolConfiguration(ConnectionServiceUtility.java:65)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:38)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:176)
at oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResourceRepository.java:34)

In schema DEV_OIM in table SVP some values for column SVP_FIELD_VALUE are secured, some are not.

Reply
Atul Kumar says January 28, 2011

@ alexm

In my view you issue is different from 1094593.1.

Check Note 1272682.1 How to Setup LDAP Sync After Install in OIM 11g and go to step 5 i.e. 5. Seed LDAP reconciliation scheduled Jobs to OIM Database.

Though this step in not required as we want provisioning and reconciliation but this give it a try and see if this fixes your issue. #

Raise an Service Request with OIM team in parallel.

Reply
» Integrate OIM 11g with OID using connector for Provisioning / Reconcilliation - Installation Online Apps DBA: One Stop Shop for Apps DBA’s says February 16, 2011

[…] Integrate OIM 11g with OID using connector for Provisioning / Reconcilliation – Installation Posted in February 16th, 2011 byAtul Kumar in OIM, identity_manager, oid  Print This Post This post covers installation of Oracle Identity Manager (OIM) connector to provision or reconcile users to/from Oracle Internet Directory (OID). There is another way to integrate OIM 11g with OID 11g using Oracle Virtual Directory (OVD) which is LDAP Sync . […]

Reply
mregoeng says February 25, 2011

I have a query regarding this LDAP sync.

In the configuration you are asked to provide a container for where the users will be stored in OID after being approved in OIM, say Cn=Users, but what if you have cn=Finance,cn=Users, dc=com and cn=HR,cn=Users,dc=com and you want to dynamically place users in either of these OUs based on their attributes propagated from OIM.

I saw somewhere in the documentation where it talks about rules in OIM to allow you to do this if im not mistaken. Is it possible to dynamically determine users’ OUs leveraging this LDAP sync mechanism?

Cheers

Reply
Atul Kumar says February 25, 2011

@mregoeng,

Oracle Identity Manager calls a plug-in that implements the oracle.iam.ldapsync.LDAPContainerMapper interface. All the attributes of the user/role are passed to the plug-in, and plug-in returns the Domain Name (DN) of the LDAP container in which user/role is created.

To achieve your requirement
1. Export /db/LDAPContainerRules.xml from MDS
2. Add expression based on user attribute under container rules as mentioned in link below
3. Import /db/LDAPContainerRules.xml to MDS

check link http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/cust_ldap.htm#

Reply
mregoeng says February 25, 2011

Fantastic…Thanks for the enlightenment.

I will let you know how my mini development goes.

Reply
TCarlson says March 4, 2011

Well… you have helped us get to this point, thank you.

We have in the past installed IDM 11.1.1.2 with OAM 10.1.4.3. Within that installation process, OID, OVD, etc were installed within the IDM installation (ofm_idm_linux_11.1.1.2.0_64_disk1_1of1.zip) and then OAM was installed separately.

Within this install, IDM and OAM are installed using the same zip — ofm_iam_generic_11.1.1.3.0_disk1_1of1.zip. When do OID and OVD get installed when creating a new install? I think I missed a step somewhere….

Reply
Atul Kumar says March 4, 2011

@ TCarlson,

In Oracle Identity Management 11g there are two softwares

1. Identity Management (covers OID, OIF, OVD) – This is 11.1.1.2 as base version and 111.1.1.3 and 11.1.1.4 are patchset (patchset can be applied on top of base). You can directly go from 11.1.1.2 to 11.1.1.4

2. Identity and Access Management (covers OAM, OIM, OIN, OAAM, OPM) –
This is 11.1.1.3 as base version , I have not seen 11.1.1.4 patchset for this product yet.

Do let me know if this is what you were looking for

Reply
TCarlson says March 9, 2011

Before running the LDAPConfigPreSetup.sh, all the processes oid, ovd, ohs were starting via opmnctl. I am not sure LDAPConfigPreSetup is related or just coincidence, but ovd no longer starts which means I cannot create the OVD connection in ODSM or and OVD adapters.

The console~ovd1~1.log has the following:

——–
11/03/09 08:29:15 Start process
——–
OpmnIntegrator: Register Ping callback.
OpmnIntegrator: Register Reload callback.
OpmnIntegrator: Register Stop callback.
Exception in thread “main” java.lang.NoClassDefFoundError: oracle/security/xmlsec/util/Base64
at oracle.security.jps.internal.common.util.JpsCommonUtil.(JpsCommonUtil.java:212)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:155)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:166)
at com.octetstring.vde.util.CSFUtil$OVDPrivilegedExceptionAction.run(CSFUtil.java:362)
at com.octetstring.vde.util.CSFUtil$OVDPrivilegedExceptionAction.run(CSFUtil.java:328)
at java.security.AccessController.doPrivileged(Native Method)
at com.octetstring.vde.util.CSFUtil.refreshCredStore(CSFUtil.java:244)
at com.octetstring.vde.backend.BackendHandler.reloadDynamicConfig(BackendHandler.java:277)
at com.octetstring.vde.backend.BackendHandler.(BackendHandler.java:250)
at com.octetstring.vde.backend.BackendHandler.init(BackendHandler.java:421)
at com.octetstring.vde.VDEServer.initialize(VDEServer.java:259)
at com.octetstring.vde.VDEServer.startServer(VDEServer.java:172)
at com.octetstring.vde.VDEServer.main(VDEServer.java:334)
Caused by: java.lang.ClassNotFoundException: oracle.security.xmlsec.util.Base64
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
… 13 more

——–
11/03/09 08:31:16 Stop process
——–

opmnctl status returns the following:

Processes in Instance: idminst
———————————+——————–+———+———
ias-component | process-type | pid | status
———————————+——————–+———+———
ohs1 | OHS | 16119 | Alive
ovd1 | OVD | N/A | Down
oid1 | oidldapd | 16231 | Alive
oid1 | oidldapd | 16177 | Alive
oid1 | oidmon | 16117 | Alive

Reply
Atul Kumar says March 9, 2011

@ TCarlson,
During LDAPConfigPreSetup.sh, it connects to OID only and not with OVD .

Regarding your OVD startup issue, I am little bit surprised that this woked in past.

Last time I had this issue Exception in thread “main” java.lang.NoClassDefFoundError: oracle/security/xmlsec/util/Base64

was during OID startup where weblogic server was higher version than OID .

What version of OVD you are using ? What is WebLogic version ? Are you using default JDK which comes with weblogic ?

Reply
TCarlson says March 9, 2011

Well… evidently I had thought I had installed the 11.1.1.3 version of OIM but only had 11.1.1.2.

Therefore, thanks anyway.

Reply
TCarlson says March 9, 2011

Well… completed the LDAPConfigPostSetup and was successful. In following the last steps

5. Test LDAP Sync configuration
5.1 Login to OIM Administration Console (http://oimserver:14000/oim) and create a user
5.2 Login to OID via ODSM and check if this user is synchronized to OID

In 5.1 when I tried to create an user, I received the following:

An error occurred while performing create user operation. Unable to get LDAP connection, and the root cause is – Failed to get connection, Incorrect IT Resource.

Ideas?

Reply
Atul Kumar says March 9, 2011

@ TCarlson,

It looks like OIM is unable to contact OVD, check following

Go to OIM advanced administration and Click on IT Resources. Search for resource type “Directory Server” and click on Edit button to see if value of OVD server is correct

If this is correct then check value of search base attribute is correct under IT resource configuration screen (mentioned above)

If search base is correct too then check LDAPContainerRules.xml in MDS schema (You will need MDS export/import script to export xml file from database / MDS)

Check Metalink Note 1275649.1

Also check logs for OIM server in weblogic domain

Reply
TCarlson says March 9, 2011

When was the “IT Resource” created? I do not remember creating it — unless it was part of the configuration.

When I go to the Advanced Admin screen and click on “Manage IT Resource” and select Search to retrieve all the resources… only one displays. It is a Directory Server resource. When I select it to edit, I get “A system error occurred. Contact the Oracle Identity Manager System Administrator”.

There is no other information.

Reply
Atul Kumar says March 10, 2011

@ TCarlson

Q: When was the “IT Resource” created ?
A: This is created when you run config.sh and select LDAP sync and provide OVD details.

To see root cause of issue , Go to OIM managed server log file and check logs

$DOMAIN_HOME/servers/oim_server1/logs

Reply
TCarlson says March 12, 2011

Just curious about the adapters above… are these required and are the DNs you give for the adapters
(cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext)
required as listed or do we use our own DN values that are reflected in the name space?

Reply
TCarlson says March 14, 2011

Also, after installing everyting and all the servers (oim, oam, oaam,…) are up and running –the EM console displays all green — when I try to access the OAM console (http://localhost:14100/oam) I receive the following:

Action Failed. Please try again.

I do not get the login screen and the screen that is displayed is the Oracle Access Manager background screen.

There are no options to even close or “ok” to accept… just the error display box.

Ideas?

Reply
TCarlson says March 14, 2011

Today seems to be the day for questions… I also have had an issue when trying to create a user with the “Null input buffer” error. I backed up my existing LDAPContainerRules.xml and weblogic.properties files and ran welblogicExportMetadata.sh and received:

Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDM
Domain’.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

Location changed to domainRuntime tree. This is a read-only tree with DomainMBea
n as the root.
For more help, use help(domainRuntime)

Problem invoking WLST – Traceback (innermost last):
File “/opt/oracle/product/fmw/idam/server/bin/weblogicExportMetadata.py”, line
22, in ?
File “/opt/oracle/product/fmw/oracle_common/common/wlst/mdsWLSTCommands.py”, l
ine 134, in exportMetadata
File “/opt/oracle/product/fmw/oracle_common/common/wlst/mdsWLSTCommands.py”, l
ine 568, in executeAppRuntimeMBeanOperation
File “/opt/oracle/product/fmw/oracle_common/common/wlst/mdsWLSTCommands.py”, l
ine 538, in getMDSAppRuntimeMBean
UserWarning: MDS-91002: MDS Application runtime MBean for “OIMMetadata” is not a
vailable. “exportMetadata” operation failure.

Reply
Atul Kumar says March 14, 2011

@ TCarlson,

Q1: Just curious about the adapters above… are these required and are the DNs you give for the adapters
(cn=oimadmin,cn=users,cn=OIM,cn=Products,cn=OracleContext)
required as listed or do we use our own DN values that are reflected in the name space?

A1: Adapters are mandatory as they define mapping from OVD to OID.

Regarding namespace , use DN mentioned above as this DN should be available in OIDs (this is namespace independent) . This DN is created as part of LDAPConfigPreSetup.sh

Q2: when I try to access the OAM console (http://localhost:14100/oam) I receive the following: Action Failed. Please try again.

A2: Check OAM logs in weblogic domain as $DOMAIN_HOME/servers/oam_server1/logs

Even if a managed server is running , there could be issues starting an OAM application on that managed server.

Reply
TCarlson says March 14, 2011

The following is in the oam_server1.log file and was triggered when I tried to open the oam console. There were several lines of this nature and then several lines of stack trace which follows afterward:

#### <> <Watch ‘UncheckedException’ with severity ‘Notice’ on server ‘oam_server1’ has triggered at Mar 14, 2011 11:07:18 AM EDT. Notification details:
WatchRuleType: Log
WatchRule: (SEVERITY = ‘Error’) AND ((MSGID = ‘BEA-101020’) OR (MSGID = ‘BEA-101017’) OR (MSGID = ‘BEA-000802’))
WatchData: DATE = Mar 14, 2011 11:07:18 AM EDT SERVER = oam_server1 MESSAGE = [ServletContext@1803965313[app:oam_server module:oam path:/oam spec-version:2.5]] Root cause of ServletException.
weblogic.servlet.jsp.CompilationException: Failed to compile JSP /index.jsp
index.jsp:2:4: No tag library could be found with this URI. Possible causes could be that the URI is incorrect, or that there were errors during parsing of the .tld file.
^M
^—-^

Stack trace:
at weblogic.servlet.jsp.JavelinxJSPStub.reportCompilationErrorIfNeccessary(JavelinxJSPStub.java:226)
at weblogic.servlet.jsp.JavelinxJSPStub.compilePage(JavelinxJSPStub.java:162)
at weblogic.servlet.jsp.JspStub.prepareServlet(JspStub.java:256)
at weblogic.servlet.jsp.JspStub.prepareServlet(JspStub.java:216)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:243)
at weblogic.servlet.internal.ServletStubImpl.onAddToMapException(ServletStubImpl.java:416)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:326)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:260)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:121)

Reply
Atul Kumar says March 14, 2011

@ TCarlson,

[ServletContext@1803965313[app:oam_server module:oam path:/oam spec-version:2.5]

What URL you are using ?

Did you try http://server:7001/oamconsole

or you are hitting http://server:14000/oam

Use first URL for console

Reply
TCarlson says March 14, 2011

I guess it was the one combination I had not tried… http://server:7001/oamconsole worked. I had thought the 14100 port and oam would be correct since that’s the requirement for oim.

Thanks again… as always…

Reply
TCarlson says March 17, 2011

Question regarding LDAP Sync… If I have already completed the install of OIM and OAM — btw it seems to work — can I still execute the LDAP Sync?

I read in a blog (http://oim-iam.blogspot.com/2010/11/configuring-ldap-sync-also-called-oim.html) that “When you are configuring OIM for the first time, you must opt to enable the LDAP sync option.This is important and a necessary step for the synchronization to work.”

Does this mean since I have already completed the install that I cannot run LDAP Sync?

Reply
tcarlson says March 17, 2011

Prior to running LDAP Sync, I was able to create users. I went ahead and ran LDAP Sync but now cannot create users again. Again receiving the “Null input buffer” error.

Reply
Atul Kumar says March 18, 2011

@ Tcarlson,

Q: If I have already completed the install of OIM and OAM — btw it seems to work — can I still execute the LDAP Sync?

A: Yes, you can – check Metalink note 1225404.1 At What Stage can OIM 11g be Integrated with Ldap Sync ,OAM and BI Publisher?

Q: Prior to running LDAP Sync, I was able to create users. I went ahead and ran LDAP Sync but now cannot create users again. Again receiving the “Null input buffer” error.

A: Check Metalink Note # 1275649.1 Unable To Create A Role or User in OIM 11g after configuring LDAP Sync.

Ensure that error message in note matches with error in your instance

Reply
TCarlson says March 18, 2011

We are duplicating our (your) efforts. I also created an OTN thread (LDAP Sync OAM 11g – user12992343) asking this question that you also responded to. Just wanted you to be aware so that you are not entering the same information twice.

Reply
MohanKumar says May 24, 2011

Hi…,
Atul Kumar
can u please tell how to install OVD 11g…and what are the prerequistes that are to be installed for OVD11g..like weblogic etc

Reply
Atul Kumar says May 25, 2011

@ MohanKumar,

OVD installation is similar to OID installation installation (installed as same software) . check my post http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

At configuration step (point 6) – select OVD

http://download.oracle.com/docs/cd/E17904_01/install.1111/e12002/before001.htm#BABBGDAA

Reply
vamsi56 says June 20, 2011

Atul,

Could you please provide me the recent patch number that we should intstall for OIM.

Thanks,
Vamsi.

Reply
kkaushick says June 27, 2011

hi Atul,
i am not able to create user after the LDAP sync.the error says about wrong IT resource.
the OVD details fot ssl/non are correct in the directory server resoutce details,and the dn value in searchbase and the LDAPcontainer rules are also as suggesred.however the LDAPContainerRules.xml was not updated as a result of importMetadata but had to be editted as the WeblogicImportMetadata.sh throws the error similar to the earlier posted by tcarlson march 14 9:17.
pls. suggest the way ro desynch ldap , so that i run the ldap synch again.
pls. help,
thanks,
himanshu

Reply
tcarlson says June 27, 2011

We have faced this issue too…

We have determined that the issue with not being able to modify the IT resource was due to the fact that the LDAP Sync process set the values in DEV_OIM.SVP to plain text and did not encrypt the values. We copied the table (just in case), set those plain text values to null, we were then able to modify the IT resource (which was Diretory Server), reset the values, saved the values, and now they are encrypted in the db and we can access the IT resource page

1. Use the following query to find fields with “plain text” values:
select svr.svr_name, spd.spd_field_name, svp.svp_key, svp_field_value
from svp
inner join spd on spd.spd_key = svp.spd_key
inner join svr on svr.svr_key = svp.svr_key

2. Set these plain text values in svp to null after making backup of table (just precautionary)

3. Edit the Directory Server to re-set values.
Possible expected error at this stage:
— no “System Error call admin…”, but that makes sense since the values in question pertained directly to the Directory Server —

4. Re-entered the values for the IT Resource.

5. Saving the changes and verify that svp values are now all encrypted.

With correct values and encryption, then users are able to be created.

Reply
Atul Kumar says June 28, 2011

@ tcarlson,
Thanks for sharing fix.

Reply
kkaushick says June 28, 2011

thanks tcarlson,
as suggested the svp_field_valuein the DEV_OIM.SVP table has already been editted to null earlier. the values are now encrypted as shown as a result of querry.(no idea whether the encryption is correct or not).
the problem is while creating a user in oim it throws an error
An error occurred while performing create user operation. Unable to get LDAP connection, and the root cause is – Failed to get connection , Incorrect ITResource.
the OVD details in the directory server IT resource, as well the value for the DN for the root search in ovd adapters are correct.
the only step which couldn’t be completed was the running of WeblogicImportMetadata.sh step 4 of the doc.
so, i editted the LDAPContainerRules.xml file for the changes to be brought in the user and role container(my guess is that by importing the metadata to MDS some other changes also do take place ).
in your earlier post on the same thread you also had the peoblem while running the script,how did you fix it.

Reply
kkaushick says June 28, 2011

somehow Iam not able to do a ldapbind on the ports for ovd and oid .i am sure it was happening right after configuring ovd and oid.
please help with a fix.
the ./opmnctl status shows all alive (have also tried startall after stopall, but to no avail)

Reply
kkaushick says June 28, 2011

a bit of correction here in the earlier post,
am able to bind at the OID non ssl port, but the bind is not happening at the OVD port

Reply
Atul Kumar says June 28, 2011

@ kkaushick,
Chjeck if OVD is listening on port defined (For unix “netstat -an | grep “) , also check OVD logs and see if there are any errors in logs

Reply
kkaushick says June 29, 2011

here are the details
[oracle@lab-im ovd1]$ netstat -an |grep 6501
tcp 0 0 :::6501 :::* LISTEN
to add to this the bind is happening successfully.
in the diagnostic log for ovd there is nothing except afew warning about the oid being down
[octetstring] [WARNING] [OVD-40067] [com.octetstring.vde.backend.jndi.changelogOID.HeartBeatThread] [tid: 11] [ecid: 0000J2SWxNdFo2WFLziOOA1DykBP000003,0] [arg: IP Address] [arg: 3060] Server 192.168.0.41:3,060 is down. But it is the only server configured, thus keep it alive.
there is nothing in access log.
-what entries need to be there in the Directory Server IT Resource?
-what about thae changes which i made to the LDAPContainerRules.xml file rather than running the weblogicimportmetadata.sh , is the approach right?

Reply
kkaushick says June 30, 2011

to add these ate enteries from the console~ovd1~1.log
Exception in thread “pool-1-thread-2” java.lang.NullPointerException
at com.octetstring.vde.DoSManager.registerConnection(DoSManager.java:315)
at com.octetstring.vde.ConnectionHandler.run(ConnectionHandler.java:213)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Exception in thread “pool-1-thread-4” java.lang.NullPointerException
at com.octetstring.vde.DoSManager.registerConnection(DoSManager.java:315)
at com.octetstring.vde.ConnectionHandler.run(ConnectionHandler.java:213)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)

the version details are:
OVD-11.1.1.2.0
ODSM-11.1.1.3.0
OID-11.1.1.3.0
has it got something to with the OVD version?

Reply
sagarthe1 says July 6, 2011

Hello Atul,
I am facing this issue during OVD to AD adapter configuration.
It is giving me invalid credentials error as soon as I click next after entering “Connection details for AD host port and server proxy bind DN & proxy password.”
I tried it with two different credentials present in AD with admin privileges and also read only.
Will you please suggest what might be wrong ?

Sorry if I am in wrong section.But I saw adapter settings and hence put it here.

Thanks,
PS

Reply
aengineer says July 13, 2011

Hi,

Do you have an article on how to configure LDAP sync with OIM 11.1.1.5.0 using ODSEE and also integrate it with OAM?

I have been following the docs and they are not-so-good.

Thanks
Aspi

Reply
Atul Kumar says July 15, 2011

@ aengineer,
This is in chapter 12 on my book but using OID/OVD.

Book is available at https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

Reply
srivatsa says July 18, 2011

Hi atul,

We configured LDAP synch now when we create user in OIM it is creating in OID and also we are able to updates the values of OOTB fields..But are not able to provision the UDF fields and update it….so please help us …what needs to be done to achive the requirement.

Thank you

Reply
kkaushick says July 28, 2011

hi,
i have a problem exact to the first post in this thread by kishore raut. this has happened while i was trying to configure the OIM server(for third time(first for configuring the server, then for LDAP synch)) for OAM integration.@Kishore – on your third post you say something about the issue being with encryption of OIM schema.So, how did you fix it..?
thanks anyway for this thread, it has been very supportive..

Reply
Kishore Rout says July 28, 2011

kkaushick,
You can do LDAP sysnchronaisation at any time after OIM server configuration as per Atul mentioned above. But On my case It was not working..Password in OIM schema encrypted. I contacted oracle regarding this. As per them steps are here:
1. Install OID &OVD and configure it.
2. Install OIM and extend weblogic domain, create managed server for OIM.
3. Prepare OID for LDAP sync(adapter creation in OVD)
4. do the OIM configure and Ldap sync in one go..

Reply
kkaushick says July 29, 2011

thanks a ton Kishore Raut,
for sharing this.a little clarification would be more helpfull.
2. how do i create managed server without running OIM_home/bin/config.sh ?
and @ atul – please post a solution for this situation. I tried config. thrice yesterday under various senarios, but on the passwd. screen it’s only asking for the keystore paswd., not for the xelsysadm paswd.
when i queried the user table for the passwd field of USER_LOGIN=’XELSYSADM’, it shows some encrypted value.
I have had earlier problem while doing LDAP synch., and had to redo the whole thing , so redo again would be a pain in the neck..
thanks again.

Reply
Kishore Rout says July 29, 2011

kkaushick,
There should be two config.sh in your OIM home directory. Use $OIM_HOME/common/bin/config.sh for OIM managed server configuration and $OIM_HOME/bin/config.sh for OIM server configuration.

Reply
kkaushick says July 29, 2011

thanks again,
so your suggestion is to do the whole thing again.
as far as my understanding goes $OIM_HOME/common/bin/config.sh would not create OIM_server, right ?
and,$OIM_HOME/bin/config.sh has to be run only once after doing all synch steps (ldap & OAM). right?
waiting..

Reply
RajeevSingh says August 24, 2011

Atul,

Is it possible to configure a LDAP adaptor without using ODSM? If yes, please provide some information

Rajeev

Reply
Raj says September 14, 2011

Atul,

Thanks for sharing the oim11g installation and configuration steps.
Couple of questions :
1. How to modify the ldapcontainer to place the user records in a particular OU in OID
2. I want to sync the OIM USERS to different user containers in OID based on OIM USER attributes.

Please advise.

Thanks,
Raj

Reply
bvuong says September 19, 2011

Hi Atul,

From my understanding, OIM PS1 is shipped with an embedded ovd called “libovd” which allows you to enable ldapsynch. My questions are:

1- If I want to use ODSEE as my identity store for OAM and use ldapsynch, do I still need to install a full OVD package? Documentation on line is not helpfull.

2- If the answer is no, Do I need to create an ldap adapter using the wlst command line or is it done automatically when ldapsynch is enabled during the install? Again, this is not clear in the doc

3- I just built a clean vm oim-ldapsynch-odsee. I can create/modify user, however creating role give me an error in OIM. Did you encount this issue in your experience?

Thanks for your help.
Bruno

Reply
Shilpa says September 23, 2011

tcarlson, your trick to update the plain text entries in the DB to get the ‘Manage IT Resource’ page to edit Directory Server is brilliant!!

We spent 3 days on figuring out this issue 🙂 Thanks much!!

Shilpa Sathya Nair

Reply
kkaushick says November 24, 2011

Hi All,
I have performed first time reconciliation using the eBusiness HRMS trusted reconciliation for CurrentPersons, the users are populated in oim(as shown in the console) but not in OID whereas, the user/s which i create manually through the oim console are getting populated in OID. I have been looking for anything relevant but to no avail so returned to this post where i got various earlier problems fixed.
So , guys please help me ,this POST is making a repo which can’t be false,
thanks again.

Reply
Atul Kumar says November 24, 2011

@ kkaushick,
Just to confirm your issue, You have configured OIM LDAP sync and expecting users in OID to sync with OIM and vice versa (please confirm).

which version of OIM is this ?

What user is used for LDAP sync (orcladmin or oimadmin) ?

Did you run full recon jon to start with ?

Reply
kkaushick says November 25, 2011

Hi ,
thank you for the reply,
Yes , shouldn’t OIM LDAP sync be auto populating the users from OIM to OID. Not worried about reverse right now.
version is 11.1.*.3
i used a diff. user created in OCS_PORTAL_USER group( for roleSecAdmin=) in the wlst script createUserIdentityStore during OIM_OAM integration, but i think i used orcladmin for LDAP synch (help me in being sure about it )
actually previously i had problem in doing ldap sync (separately) so this configuration of OIM_server is done with LDAP sync and OAM integration in a single go.
yes this is a full-first time recon.
Note-the users being created manually using the console are still getting populated in OID.
thanks, waiting eagerly.

Reply
kkaushick says November 25, 2011

on LDAP sync and OAM screen during the server configuration I used cn=orcladmin as LDAP user.
Thanks.

Reply
Atul Kumar says November 27, 2011

@ kkaushick,

You said – shouldn’t OIM LDAP sync be auto populating the users from OIM to OID.

AK – Yes , it should. check logs in OIM manager server log file $DOMAIN_HOME/servers/oim_server1/logs

You said – version is 11.1.*.3, I used a diff. user created in OCS_PORTAL_USER group( for roleSecAdmin=) in the wlst script createUserIdentityStore during OIM_OAM integration, but i think i used orcladmin for LDAP synch (help me in being sure about it )
actually previously i had problem in doing ldap sync (separately) so this configuration of OIM_server is done with LDAP sync and OAM integration in a single go.

AK: I have seen lot of issues with LDAPSync in OIM/OAM 11.1.1.3, is there possibility of upgrading OIM/OAM/SOA to 11.1.1.5 . In OIM 11.1.1.3 there was no libOVD so do you have OVD (in 11.1.1.5 OVD is not mandatory) and did you create adapters in OVD?

You said – Yes this is a full-first time recon. Note-the users being created manually using the console are still getting populated in OID.
AK: OK so LDAPSync works if you create users in OIM but issue is only during EBS ER (employee recon). You must have received errors in OIM managed server log file.

I recently faced same error where only 5% of employees from EBS were in OID (even though every one was in OIM). In OIM logs error was related to common name generation which was bug in code that it was checking email addresses. One user had wrong email address (two @ in email) and whole thing was falling apart.

Check OIM logs to find root cause of your problem (This could be data specific issue). Also check JMS Queue via WebLogic console and ensure messages are not sitting in Queue

Reply
kkaushick says November 28, 2011

hi ,
thanks for showing the way ahead,
->surfed through the logs, but nothing there except repeated errors for the ” Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: All connections in the Universal Connection pool are in use ,
->yes, I am using OVD and two adapters have been created in OVD.
->the managed server log file has mainly three repeated errors,passwords not agreeing to the policy, [arg: Manager Login] The attribute Manager Login does not exist!, and others repeated for [arg: Organization Name] The attribute Organization Name does not exist!,could this be a problem?
weblogic console-summary of JMS server shows ok, not sure how to check for the sitting messages in the JMS queue .
->if upgrading it t0 *.5 would solve the problem, should i upgrade both the Oracle Home or only the home containing the OIM,OAM,OAAM,etc.?
thanks, again in advance.

Reply
kkaushick says November 28, 2011

the error related to the password policy is and, i guess that this is not letting the users be updated in OID.
[oracle@lab-im logs]$ more oim_server1-diagnostic-51.log | grep ERROR
[2011-11-23T17:22:20.560+05:30] [oim_server1] [ERROR] [IAM-0042002] [oracle.iam.platform.entitymgr.provider.ldap] [tid: [ACTIVE].ExecuteThread: ’18’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 0000JFGGsPoFo2WFLziOOA1ElXZQ0001YU,0] [APP: oim#11.1.1.3.0] [dcid: d90df5a0fd2bc5c7:610c5ef3:133b5d99a56:-7ffd-000000000000107b] [arg: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 – LDAP Error 21 : [LDAP: error code 19 – Password Policy Error :9003: GSL_PWDMINLENGTH_EXCP :Your Password must be at least 5 characters long.\n]]; remaining name ‘cn=324,cn=users,*,dc=co,dc=in’] An error occurred while creating the entity in LDAP, and the corresponding error is – javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 – LDAP Error 21 : [LDAP: error code 19 – Password Policy Error :9003: GSL_PWDMINLENGTH_EXCP :Your Password must be at least 5 characters long.[[
these errors are repeated.thanks,

Reply
Atul Kumar says November 28, 2011

@ kkaushick,
In OID there is default password policy on users which I suppose requires user password to have atleast 5 characters.

Create a new password policy in OID (configure it same as password policy on target systems OIM/source application EBS in this case).

To define password policy in OID and assign it to users container in OID follow http://download.oracle.com/docs/cd/E21764_01/oid.1111/e10029/pwdpolicies.htm#OIDAG2470

Reply
kkaushick says November 28, 2011

thank you so much for the soln. , but i have a bit of confusion here as i could see two default pwdPolicies in OID one under the cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
and the other one with the RDN cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=*,dc=co,dc=in.
both had the attribute orclpwdpolicyenable value as 1, i have changed the value to 0 for both the default store, so right now the OID is without any policy enabled, hopefully it will bring the users from OIM to OID,
will inform you if i succeed, anyway thank you so much for the effort,
Please do correct me if my approach is wrong.
thanks,

Reply
Atul Kumar says November 28, 2011

@ kkaushick,
You are right , by default there are two password policies but one that is applicable at cn=users,dc= is cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=* (This is controlled by attribute pwdpolicysubentry on cn=users)

Bounce OID and then try running Employee Recon Job and see if you still get this error.

Reply
kkaushick says November 29, 2011

Thanks agin for the effort which you are putting here.
Good news is after rerun of the Employee Recon I got two test users in my OID.
for thge rest i got this error [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.user] [tid: [ACTIVE].ExecuteThread: ’16’ for queue: ‘weblogic.kernel.Default (self-tuning)’]
[userId: oiminternal] [ecid: 0000JFihrd8Fo2WFLziOOA1ElXZQ00031J,0] [APP: oim#11.1.1.3.0]
[dcid: d90df5a0fd2bc5c7:610c5ef3:133b5d99a56:-7ffd-0000000000001077]
Failed to execute the handler.[[
oracle.iam.platform.kernel.EventFailedException: Enabling failed because user is not synchronized to the LDAP directory.
Exception Description: Could not serialize object into byte array.
Internal Exception: java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx
Mapping: org.eclipse.persistence.mappings.DirectToFieldMapping[result–>ORCHEVENTS.RESULT]
Descriptor: RelationalDescriptor(oracle.iam.platform.kernel.dao.OrchEvent –> [DatabaseTable(ORCHEVENTS)])
at oracle.iam.platform.kernel.dao.OrchestrationDao.updateEventResult(OrchestrationDao.java:594)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrateWithoutExecution(OrchestrationEngineImpl.java:407)
… 34 more
Caused by: org.springframework.transaction.UnexpectedRollbackException: JTA transaction unexpectedly rolled back (maybe due to a timeout); nested exception is weblogic.transaction.RollbackException: Unexpected exception in beforeCompletion: sync=org.eclipse.persistence.transaction.JTASynchronizationListener@b75157e
Now i will enable loogging at afiner label to find out where exactly the problem is.
if you have figured it out pls. do let me know.
But thank you for letting me establish that this system is working .
Regards.

Reply
kkaushick says November 29, 2011

Hi ,
even after enabling the logging at the finest level i can only locate the same error ,am not able to find the reason for the error , need your help, the complete error FYA,
[2011-11-29T18:27:55.357+05:30] [oim_server1] [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.user] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: oiminternal] [ecid: 0000JFjPmKXFo2WFLziOOA1EpCiH00001P,0] [APP: oim#11.1.1.3.0] [dcid: d90df5a0fd2bc5c7:-437de5de:133ef3d5f4c:-7ffd-0000000000000033] Failed to execute the handler.[[
oracle.iam.platform.kernel.EventFailedException: Modification failed because user 487 is not synchronized to the LDAP directory.
at oracle.iam.ldapsync.impl.eventhandlers.user.UserModifyLDAPPostProcessHandler.modifyUser(UserModifyLDAPPostProcessHandler.java:153)
at oracle.iam.ldapsync.impl.eventhandlers.user.UserModifyLDAPHandler.execute(UserModifyLDAPHandler.java:180)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPostProcessEvents(OrchProcessData.java:1153)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:703)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:220)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:674)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy329.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
It keeps on repeating for this user ID,

Reply
Atul Kumar says November 30, 2011

@ kkaushick,
Error message indicates that you are trying to update a user (as part of RECON) which is not in OID.

It seems like for some reason user is in OIM but not in OID.

Reply
kkaushick says November 30, 2011

so , how do i bring the users from oim to oid?
when and how does the sync b/w OIM-LDAP happen?
thanks,

Reply
kkaushick says December 1, 2011

hi ,
I tried to delete the enteries from OIM using the Admin console , so that i could rerun the Recon , but the problem is for the same reason as the users are not sync to LDAP Directory, not able to delete,Please guide me how to approach this problem.
i.e. how do i populate the users from EBS to OID?
thanks,

Reply
Atul Kumar says December 1, 2011

@ kkaushick,

There is manual way to migarte users from EBS to OID which is http://onlineappsdba.com/index.php/2008/04/17/migrate-users-tofrom-oid-and-oracle-apps-11ir12/

But this process will not link users between OIM and OID. You need to manually link users between OIM and OID (using usr table). I am not sure if this is certified/supported solution. Please contact Oracle Support on this

Reply
kkaushick says December 1, 2011

thanks for the suggestion,
doubt is if we can migrate users from EBS to OID using AppsUserExport(converting the users data to a ldif file),then isn’t there a way to make a ldif file from the DEV_OIM.USR table so that we can use this file to populate OID with the users, how about truncating the whole USR table so that i can start the recon afresh, my line of thought is if the users will not be in OIM then Recon would not try to update the users in OID, which one do you suggest?
thanks again.

Reply
shah_harsh81 says February 22, 2012

Hi Atul

I follow all steps from Part I to VIII to install “Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)”

On this step VIII, it helps to Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID).

I didn’t find steps to install OVD/OID thru step VIII.

Can you please help me here to install this OVD/OID in this verion which you used thru steps VIII.

Thank you
Harsh Shah

Reply
Atul Kumar says February 27, 2012

@ shah_harsh81,
To install OID/OVD use steps from

http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

Current OID/Version is 11.1.1.6 so only thing to change is use weblogic 10.3.6 (replace weblogic 10.3.4 with 10.3.6 in above doc) and replace OID/OVD patchset from 11.1.1.4 to 11.1.1.6 (latest is 11.1.1.6).

RCU you should use 11.1.1.6 RCU to create OID/OVD schema

Reply
vamsikrishna56 says March 9, 2012

Hi Atul,

My LDAP sync worked fine earlier. All of a sudden, whenever I try to create a user in OIM, LDAP sync creates the user, modifies the user and automatically calls delete user also and the user is getting deleted.

I have checked this in the audit log of OID logs and the change log ID in the console that the delete method is getting called during LDAPsync.

Any ideas on such issue ?

Thanks,
TVamsi.

Reply
Atul Kumar says March 11, 2012

@ vamsikrishna56,
Do you means you create a user in OIM and then ldapsync automatically creates user in OID.

LDAPSycn then deleted user from OID (even though user is still in OIM)

Is this the case ?

No, I have never seen issue like this. Do you have any other provisioning or reconciliation task with this OID ?

Reply
multikanth says May 3, 2012

Thank you for sharing.
I would like to share the issue I have faced and Fixes.
Issue : After doing everything as per this doc, I do get Error to User Created Sync.

Two fixes for this.

Fix 1 : in Metalink follow ID 1307549.1

Fix 2 : Got this from this thread https://forums.oracle.com/forums/thread.jspa?messageID=10311715#10311715

Parameter “Connection pooling supported” in Directory Server rerource was set to true.

Reply
Jyothi says May 10, 2012

Hi Atul, I am not sure whether below exception from my OIM server should be ignored or not. I have checked OIM configuation with what you have mentioned. Everything is fine except I used port 3060 instead 6501 for the LDAP server url. But when I created users in OIM, I can see them in OID. Does this below exception may create problem somewhere else ?

<Class/Method: PooledResourceConnectionProvider/createConnection encounter some problems: ADP ClassLoader failed to load: oracle.iam.ldapsync.impl.repository.LDAPConnection
java.lang.ClassNotFoundException: ADP ClassLoader failed to load: oracle.iam.ldapsync.impl.repository.LDAPConnection
at com.thortech.xl.dataobj.tcADPClassLoader.findClass(tcADPClassLoader.java:219)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:73)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1563)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1399)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:477)
at oracle.ucp.common.UniversalConnectionPoolImpl.growPool(UniversalConnectionPoolImpl.java:856)
at oracle.ucp.common.UniversalConnectionPoolBase$1.run(UniversalConnectionPoolBase.java:1057)
at oracle.ucp.util.UCPTaskBase.call(UCPTaskBase.java:17)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:139)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:909)
at java.lang.Thread.run(Thread.java:662)

thank you for your valuable suggestion.

Jyothi

Reply
Jyothi says May 10, 2012

Atul, can I correct this error by providing 6501 ? If so, which file I need to modify ?

It think this could be the issue for the exception I am facing.

Can you please let me know whether I can correct it now.

Jyothi

Reply
» Users not synced from OID to OIM : Debug Scheduled Job Online Apps DBA: One Stop Shop for Apps DBA’s says June 13, 2012

[…] and OID (or other LDAP Servers) can be synchronised either using LDAPSync  (For LDAPsync with OVD check here ) or using OIM connectors (For OID connector click […]

Reply
Odesa says June 26, 2012

Atul, instalé el OIM, le especifiqué todos los parámetros que me pedían durante la instalación. Después vor al navegador, y especifico la dirreción para acceder a la interfaz principal del OIM y me da un error:

Error 404–Not Found
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

¿Me podría ayudar al respecto?

Gracias de antemano.

Reply
Mabeliana says June 27, 2012

Atul, como estas? necesito ayuda, despues que instalé el OIM y reinicié los server correspondientes, cuando voy al navegador y le especifico la url, con el puerto y todo, me da un error:

Error 404–Not Found
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

¿Qué será esto?
Puede ayudarme al respecto.

Saludos y gracias de antemano.

Reply
avi says July 6, 2012

Atul,

Ive followed the steps but Im getting an error while creatig users from the console : Unable to get LDAP connection,and the root cause is – Failed to get connection due to initialization error with the pool : Failed to initialize and start UCP Pool.

The Directory Server is up and running as I can do a Telnet to :
telnet LDAP_HOSTNAME ldapport

and also Ldapbind with the command :
ldapbind -h LDAP_HOSTNAME -p ldapport -D “cn=orcladmin” -q

ON OIM The Manage IT Resource section for Directory Server Type, the field was blank for Server URL. Tried adding ldap://server_name:ovdport but still facing the same issue.

Any inputs to help me over come this ??

Reply
avi says July 6, 2012

Also,while connecting to OVD from ODSM and creating the necessary adapters for LDAP Sync, it refuses to connect on default non SSL port 6501. Keeps saying not a valid connection. While it connects while I use the Admin SSL Port 8901 using which the adapters were created.

Wondering if this has got to do with the errors…

Reply
avi says July 6, 2012

Also while connecting to OVD from ODSM and creating the necessary adapters for LDAP Sync, it refuses to connect on default non ssl port 6501. Keeps saying Not a Valid Connection. While it connects while I use the Admin SSL Port 8901 using which the adapters were created.

Wondering if this has got to do with the errors…

Reply
Mabeliana says August 27, 2012

Hello

1. how to add new field in adminstrator and user console?
2. how to add new user for enter to the console OIM?

Thanks

Reply
Sunil Unnikrishnan says September 5, 2012

Hi Atul, I just installed OIM R2. I already have OAM 11.1.1.5 configured against OVD 11.1.1.5 front-ending AD with our enterprise users. I do not have the option to extend the orcl schema on AD, so I decided to use OUD R2 and the install and base config went fine. I’m following this URL: http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ to prep OUD and the schema went in fine. Now I’m confused with what exactly I need to do to complete OIM-OAM integration. Documentation seems to be everywhere with idmconfigtool.sh especially with R2.

I did not enable LDAP Sync during OIM config, so im following this post-install link – http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#CHDBICCC to complete that setup. And here’s where I see there is not much detail on how I need to idmconfigtool.sh and with what options. The good thing with OUD is almost all orcl schema is shipped and there is nothing much to do related to schema, except for obobjectclasses and index, which i did based on the first link posted above.

Do you have any thoughts on this, related to OIM R2?

Sunil.

Reply
Sunil Unnikrishnan says September 7, 2012

Thanks Atul. Excellent link for my requirement.
Can you please confirm the below high level steps for this integration?

1. Prepare OUD for integration
2. Configure JOIN/SHADOW adapters between AD and OUD.
3. Run ./idmconfigTool.sh with -preConfigIDStore, -prepareIDStore with mode OAM and OIM, -configOAM, -configOIM. -configPolicyStore (not sure if this is needed??). I have already run -preConfigIDStore directly against OUD and it went fine. I’ll be enabling LDAP Sync directly against OUD since R2 supports it (http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ) and I’m confused on the need for pointing OIM to OVD. Thoughts?

Thanks,
Sunil.

Reply
mike says September 28, 2012

Hello Atul,
I have a requirement for the sync from the oid to the oim. Can this be done?
TIA

Mike

Reply
    Atul Kumar says September 29, 2012

    @ Mike,
    If OIM is 11g then this can be done via two ways
    a) LDAPSync or
    b) OIM connector for OID

    If this is OIM 10g then use OIM connector for OID

    For both ldapsync and OIM connector for OID, search on this blog

    Reply
Sean says September 29, 2012

Atul,
for the post ldapsync
LDAPConfigPostSetup.sh

it fails:
[Enter OIM admin password:]
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:394)
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.(LDAPConfigPostSetup.java:146)
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:106)
Unable to get either LDAP, OIM connection and reason is:null

I verified the props file, all look good. It is the oim 11.1.1.5.4, i have used OID as the directory in the OIM config and set SkipOVDValidation= true in the props file.

Any insights?

Reply
Atul Kumar says September 29, 2012

@ Sean,

You mentioned oim 11.1.1.5.4 as per my knowledge latest BP is 03 so 11.1.1.5.3

For your issue, it looks like java is not set correctly. Type which java and make sure this is 1.6 . Also check JAVA_HOME environment variable

Reply
Sean says September 29, 2012

11.1.1.5.4 has been released as BP4 14102430

I have had the JAVA set:

$ env |grep JAVA
JAVA_HOME=/u01/oracle/jdk/jdk1.6.0_30

it is a Linux 64bit

uname -a
Linux p2devwebportal.usace.army.mil 2.6.32-200.13.1.el5uek #1 SMP Wed Jul 27 21:02:33 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

Reply
Atul Kumar says September 29, 2012

@ Sean,
Thanks for information on BP04 for 11.1.1.5 .

Which java is in path

which java

also paste content of $MW_HOME/iam/server/ldap_config_util/ldapconfig.props

check details are correct in this file

Reply
Sean says September 29, 2012

$which java
/u01/oracle/jdk/jdk1.6.0_30/bin/java

ldapconfig.props :

# OIMServer Type, Valid values can be WLS, JBOSS, WAS
# e.g.: OIMServerType=WLS
OIMServerType=WLS

# OIMAdmin User Login
# e.g.: OIMAdminUser=xelsysadm
OIMAdminUser=xelsysadm

# Skip Validation of OVD Schema
# e.g.: SkipOVDValidation=true|false, Default false
SkipOVDValidation=true

# OIM Provider URL
# e.g.: OIMProviderURL=t3://localhost:8003
OIMProviderURL=t3://jm100:14000
#OIMProviderURL=t3://jm100:8001
#(Note I tried the both 14000 and 8001, failed on the both)
# OID URL
# e.g.: OIDURL=ldap://localhost:389
OIDURL=ldap://jm101:3060

# Admin user name to connect to OID
# e.g.: OIDAdminUsername=cn=orcladmin
OIDAdminUsername=cn=orcladmin

# Search base
# e.g.: OIDSearchBase=dc=company,dc=com
OIDSearchBase=dc=usace,dc=XXXXXX

# Name of the user container
# e.g.: UserContainerName=cn=Users
UserContainerName=cn=Users

# Name of the role container
# e.g.: RoleContainerName=cn=Roles
RoleContainerName=cn=Groups

# Name of the reservation container
# e.g.: ReservationContainerName=cn=Reserve
ReservationContainerName=cn=reserve

Reply
Atul Kumar says September 29, 2012

@ Sean,
OIDAdminUsername=cn=orcladmin doesn;t look right . You should use cn=oimLDAP,cn=systemids,dc=****

Please confirm that you generated wlfullclient.jar file , if not create this and try again

Reply
Sean says September 29, 2012

i have it in oid as:
cn=oimadmin,cn=systemids,dc=***

and tried as you suggested and failed the same.

And Yes, wlfullclient.jar had been generated.

Thanks.

Reply
» OIM User Creation : An Error occurred while performing create user operation. Unable to get LDAP connection Online Apps DBA: One Stop Shop for Apps DBA’s says October 25, 2012

[…] or later can be integrated with LDAP server using LDAPSync . More on LDAP Sync here, here, […]

Reply
» Your account is locked. You can unlock your account by going to Forgot Password Online Apps DBA: One Stop Shop for Apps DBA’s says November 20, 2012

[…] (OID in this case) using LDAPSync (OIM should be configured with LDAPSync enabled. More on LDAPSync here, here, and here). This process will also clear two attributes obLockoutTime, and obLoginTryCount […]

Reply
sampal says November 21, 2012

Hello Atul,

Can you please let me know why do we need ldap synch for OIM and OAM Integration. We are trying to achieve Single Sign -On for OIM using OAM.Is it not like any type of integration where we protect the application with webgate and configure policies in OAM. We don’t want to maintain another product(OID/OVD as LDAP Synch need), so can you please let us know the feasible solution.

Reply
    Atul Kumar says November 22, 2012

    @ sampal,
    OIM store its user repository in its own user store (USR table in OIM schema). Though OAM can authenticate against a database table but OIM for security reasons wouldn’t let any one else connect to its USR repository. Solution for this is to SYNC users in OIM with LDAP servers. Then for Locked accounts OAM should be able to see it under its own repository (like obLoginTryCount) and this lock/unlock should sync with OIM. These are just two example for which you need OIM to sync data to LDAP server to which OAM is integrated (for SSO) .

    I hope this answers your question.

    Reply
sampal says November 26, 2012

Thanks Atul for the quick response. So if LDAP Synch has to be enabled, can we use Active Directory as the data store instead of OID/OVD? Does using AD pushes any new attributes to the AD server?

Please let us know.

Reply
Atul Kumar says November 26, 2012

@ Sampal,
Yes you can use AD with OIM for LDAPSync but you need to extend AD schema to include attributes required for OIM-OAM integration. Schema extension scripts are included in integration guide.

Reply
sunil sharma says January 24, 2013

Hi Gurus,
I have done LDAPSync,but when i want to midify user through oim console it doesnt get modified and it shows no error in the log. can you tell how to fix this problem.Thanks in advance.

Reply
    Atul Kumar says January 24, 2013

    @ Sunil,
    These users were created before LDAP sync or after LDAP sync ? Try creating a new user and see if you can you modify this new user

    Reply
sunil sharma says January 25, 2013

Hi Atul,
These users were created after LDAPSync and if i tired to modified it,the modification doesnt work.please let me know if you require any further details,thanks for your reply.I am also trying to fix that problem.My skype id is “sunil.sharma759” if you want you can send me request or else give me your details i will send you the request.Please help me in this i am fresher and i have to do it.

Reply
    Atul Kumar says January 25, 2013

    @ Sunil Sharma,
    Check logs in OIM diagnostics and OIM out file. If you can’t find any errors then enable diagnostics in OIM via EM and then try again to reproduce problem and check logs

    Reply
sunil sharma says January 25, 2013

Hi,
It is giving me the error that “NO_SUCH_OBJECT”. so suggest me any solution for that please.Thanks in advance.

Reply
Atul Kumar says January 25, 2013

@ Sunil Sharma,
You need to provide more informaiton “NO_SUCH_OBJECT” will not help, paste full error.

Reply
sunil sharma says January 28, 2013

Hi Atul,
here I am sending you the oim_server1-diagnostic log details.I think tis is the reason due to which user is not modifying.Please suggest me sloution to this or else any other solution through which i can do modifying of user.
[2013-01-28T09:22:34.553+05:30] [oim_server1] [ERROR] [IAM-0042016] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-6] [userId: oiminternal] [ecid: 0000JlzHZAWFw0zkrw0AJz53vfE0jzYxv1H1VKv000002,0] [APP: oim#11.1.1.3.0] An error occurred while getting the change log from LDAP – {0}[[
javax.naming.NoPermissionException: Error: INSUFFICIENT_ACCESS_RIGHTS
LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights] [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights]]
at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:162)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:439)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:329)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1029)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.getChangelogResults(LDAPDataProvider.java:1486)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.deltaDetect(LDAPDataProvider.java:1443)
at oracle.iam.ldapsync.scheduletasks.hierarchy.LDAPRoleHierarchyReconTask.execute(LDAPRoleHierarchyReconTask.java:94)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights]
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:174)
at oracle.ods.virtualization.service.DefaultVirtualizationSession.search(DefaultVirtualizationSession.java:182)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:429)
… 14 more
Caused by: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 – Insufficient Access Rights]
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.handleError(ConnectionHandle.java:439)
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:280)
at oracle.ods.virtualization.engine.backend.jndi.JNDIEntrySet.initialize(JNDIEntrySet.java:219)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.get(BackendJNDI.java:727)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:303)
at oracle.ods.virtualization.engine.chain.plugins.changelog.ChangelogPlugin.get(ChangelogPlugin.java:611)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.getByAdapter(AdapterServiceInterface.java:582)
at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.get(AdapterServiceInterface.java:453)
at oracle.ods.virtualization.engine.backend.BackendHandler.get(BackendHandler.java:429)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:295)
at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
at oracle.ods.virtualization.engine.chain.plugins.uniqueentry.UniqueEntryPlugin.get(UniqueEntryPlugin.java:132)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
at oracle.ods.virtualization.engine.chain.plugins.mlsfilter.MlsFilter.get(MlsFilter.java:102)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
at oracle.ods.virtualization.engine.chain.GlobalServicesInterface.runGet(GlobalServicesInterface.java:136)
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:168)
… 16 more
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 – Insufficient Access Rights]; remaining name ‘cn=Changelog’
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3049)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:261)
… 39 more

*********************************************

[2013-01-28T09:22:33.972+05:30] [oim_server1] [ERROR] [IAM-0042016] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-4] [userId: oiminternal] [ecid: 0000JlzHZAWFw0zkrw0AJz53vfE0jzYxv1H1VKv000002,0] [APP: oim#11.1.1.3.0] An error occurred while getting the change log from LDAP – {0}[[
java.lang.NullPointerException
at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:768)
at oracle.ods.virtualization.engine.router.RoutingHandler.getRoutingRule(RoutingHandler.java:234)
at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.get(AdapterServiceInterface.java:463)
at oracle.ods.virtualization.engine.backend.BackendHandler.get(BackendHandler.java:429)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:295)
at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
at oracle.ods.virtualization.engine.chain.plugins.uniqueentry.UniqueEntryPlugin.get(UniqueEntryPlugin.java:132)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
at oracle.ods.virtualization.engine.chain.plugins.mlsfilter.MlsFilter.get(MlsFilter.java:102)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
at oracle.ods.virtualization.engine.chain.GlobalServicesInterface.runGet(GlobalServicesInterface.java:136)
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:168)
at oracle.ods.virtualization.service.DefaultVirtualizationSession.search(DefaultVirtualizationSession.java:182)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:429)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:329)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1029)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.getChangelogResults(LDAPDataProvider.java:1486)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.deltaDetect(LDAPDataProvider.java:1443)
at oracle.iam.ldapsync.scheduletasks.role.LDAPRoleChangesReconTask.execute(LDAPRoleChangesReconTask.java:118)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)

Reply
satheeshskumar says February 4, 2013

I am preparing a test environment.
After running ./LDAPConfigPostSetup.sh i get the following error.
[Enter OIM admin password:]
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:396)
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.(LDAPConfigPostSetup.java:146)
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:106)
Unable to get either LDAP, OIM connection and reason is:null

JAVA_HOME and WL_HOME is setup correctly.
OID is running and port is 3060 no-ssl.

Reply
    Atul Kumar says February 5, 2013

    @ satheeshskumar,
    What version of OIM you are running and what patchset (BP Bundle Patch) ? If this is 11.1.1.5 BP04 then check LdapConfigPostSetup.sh Erros In OIM 11.1.1.5.4 / BP04 [ID 1508480.1] , You need three more environment variable LDAPAdminUsername, OIMProviderURL, LDAPURL or LIBOVD_PATH_PARAM

    Check for BUG 14783790

    Reply
satheeshskumar says February 5, 2013

Hi Atul,

I have updated the ldapconfig.props with the above mentioned parameters. below error message appearing after updating 3 parameters

LIBOVD_PATH_PARAM=/u02/app/oracle/Middleware/user_projects/domains/IDMDomain/config/fmwconfig/ovd/oim

LDAPAdminUsername=cn=orcladmin
LDAPURL=ldap://testfusionmw:3060

Error message:

java.lang.NullPointerException
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.updateLDAPSyncScheduleJobs (LDAPConfigPostSetup.java:191)
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:111)

Reply
    Atul Kumar says February 6, 2013

    @ Sateeshkumar,
    It looks like xmlparserv2.jar is missing from the classpath, add this in classpath and try again.

    Reply
satheeshskumar says February 5, 2013

Hi Atul,

I forgot update the version 11.1.1.5 BP04

Regards

Reply
satheeshskumar says February 6, 2013

Hi Atul,
I have added ,below pasted the class path values:
=============
echo $CLASSPATH
../client/oimclient.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/wlfullclient.jar:../ext/jakarta-commons/commons-logging.jar:../ext/spring.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar:../platform/iam-platform-utils.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/wlclient.jar:/u02/app/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:../platform/iam-platform-auth-client.jar:../client/oimclient.jar:../features/iam-features-system-configuration.zip:../platform/iam-platform-authz-service.jar:../features/iam-features-identity.zip:../features/iam-features-platformservice.zip:../ext/log4j-1.2.8.jar:../ext/internal/eclipselink.jar:/u02/app/oracle/Middleware/wlserver_10.3/../oracle_common/modules/oracle.ldap_11.1.1/ldapjclnt11.jar:/u02/app/oracle/Middleware/Oracle_IAM1/oui/jlib/jlib/xmlparserv2.jar
================================

Still same error:
[oracle@bhmanapr12 ldap_config_util]$ ./LDAPConfigPostSetup.sh
[Enter LDAP admin password:]
[Enter OIM admin password:]
java.lang.NullPointerException
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.updateLDAPSyncScheduleJobs(LDAPConfigPostSetup.java:191)
at oracle.iam.platformservice.utils.LDAPConfigPostSetup.main(LDAPConfigPostSetup.java:111)

Reply
Mounika says March 15, 2014

Hi Atul,

I am trying to configure LDAP Sync with OIM 11g R2 PS2(11.1.2.2) using OUD 11.1.2.2 version Post OIM installation & Configuration. My OIM is installed on Linux and OUD on Windows servers.

I have done preconfiguring OUD steps by following the document at http://docs.oracle.com/cd/E27559_01/install.1112/e27301/preconfigoud.htm#CHDCEJKD

Then following document from http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#IDMIG4357

In 3.1 Enabling Postinstallation LDAP Synchronization –> Step 6 For reconciliation jobs,

I am not able to find the following 2 files patch_weblogic.sh MDS utility available in OIM_HOME/bin/ and $OIM_ORACLE_HOME/server/bin/weblogic.profile

Are these files available in OIM installed location by default or generate after doing some kind of configurations?

Could you please help me in this regard.

Thanks in advance,
Mounika

Reply
travertine tile says February 7, 2015

Hi, yup this paragraph is really pleasant and I have learned lot of things from
it about blogging. thanks.

Reply
Anu says March 1, 2017

We have configured Ldap sync(OIM-OUD) manualy after OIM installation . Now while cretaing user in OIM we are facing the below error. Please could you provide pointers
<oracle.iam.platform.kernel.EventFailedException: IAM-3010004:An error occurred while deleting LDAP user in the compensate stage.:
oracle.iam.request.exception.RequestServiceException: oracle.iam.platform.kernel.EventFailedException: IAM-3010004:An error occurred while deleting LDAP user in the compensate stage.:
at oracle.iam.request.impl.RequestEngine.startOrchestrationFromPreProcess(RequestEngine.java:5091)
at oracle.iam.request.impl.RequestEngine.triggerOperation(RequestEngine.java:4966)
at oracle.iam.request.impl.RequestEngine.doOperation(RequestEngine.java:4598)
at oracle.iam.impl.OIMServiceImpl.doOperation(OIMServiceImpl.java:43)

Reply
Add Your Reply