OIM LDAP Sync : Overview and Key Points

OIM LDAP synchronisation (LDAP sync) is process to integrate OIM with LDAP server (OID, AD, ODSEE ..) so that users/groups/roles created in OIM are synchronised automatically with LDAP server.

  • LDAP sync can be configured during OIM configuration phase or later.
  • In OIM 11.1.1.3,  OVD (Oracle Virtual Directory) is mandatory to integrate OIM ldap synchronisation where as from OIM 11.1.1.5 onwards OVD is optional component for OIM LDAP sync. If you don’t want to use OVD then from version 11.1.1.5, OIM comes with identity virtualization Library (libOVD). If libOVD is not used then OIM should use an instance of OVD for LDAP synchronisation.
  • When LDAP sync is enabled in OIM, four default jobs are enabled
    a) LDAPSync Post Enable Provision Users to LDAP
    b) LDAPSync Post Enable Provision Roles to LDAP
    c) LDAPSync Post Enable Provision Role Membership to LDAP
    d) LDAPSync Post Enable Provision Role Hierarchy to LDAP
  • To enable LDAP Sync post OIM configuration use steps mentioned here
  • To disable LDAP Sync in OIM, delete EventHandlers.xml from MDS and disable Jobs (mentioned above). For steps click here
  • OIM LDAP Sync creates OIM users in LDAP server under default user container configured during LDAP Sync configuration. If you wish to change user container based on user/role attributes (for example users with attribute value country=US should go to container cn=US,cn=User,dc=domain and users with attribute value country=UK should go to cn=UK,cn=User,dc=domain ) then modify /db/ldapContainerRules.xml in MDS. More information here
  • OIM calls plug-in that implements interface oracle.iam.ldapsync.LDAPContainerMapper . This plug-in is defined by OIM system property LDAPContainerMapperPlugin. The plug-in reads user/group container value (location where it needs to sync data in LDAP server) from XML file stored on MDS schema in OIM database (/db/LDAPContainerRules.xml) .
  • You can enable logging for LDAP using logger “oracle.iam.ldap-sync” from Fusion Middleware Enterprise Manager Console. More on Logging & Auditing in OIM in chapter 13 of my book Oracle Identity and Access Manager 11g for Administrators at Amazon  or Packtpub

About the Author Masroof Ahmad

Leave a Comment:

13 comments
» How to find latest changelog number (or changes) in OID ? Online Apps DBA: One Stop Shop for Apps DBA’s says November 15, 2011

[…] Identity Manager (OIM) configured with LDAPSych also uses change log to reconcile data from […]

Reply
» Fusion Applications 11.1.1.5.1 Installation Part III - Configure Policy and Identity Store Online Apps DBA: One Stop Shop for Apps DBA’s says November 28, 2011

[…] oimadmin user is used to synchronise users from OIM to OID ( LDAPSync ) Note: xelsysadmin created here is used to logon to OIM as […]

Reply
» Users not synced from OID to OIM : Debug Scheduled Job Online Apps DBA: One Stop Shop for Apps DBA’s says June 13, 2012

[…] between OIM 11g and OID (or other LDAP Servers) can be synchronised either using LDAPSync  (For LDAPsync with OVD check here ) or using OIM connectors (For OID connector click […]

Reply
vin says August 10, 2012

hi,

I am trying to modify LDAPContainerrules.xml according to the organizations i.e using act_key . When organization=org1 (i.e act_key=21) provision the user in “l=amer,dc=oracle,dc=com” container.
We have mapped OID attribute “o” to OIM act_key and this mapping works. When we create a user, the “o” in OID gets updated to 21.

act_key=21 l=amer,dc=oracle,dc=com

act_key=21 l=apac,dc=oracle,dc=com

Default l=users,dc=oracle,dc=com

Default
Default l=roles,dc=oracle,dc=com

Also when we do it using attribute “First Name” it worked as shown below.
But it is not working for act_key.
Can you suggest how can we provision users based on organization using LDAPcontainerrules.xml

First Name=user1 l=amer,dc=oracle,dc=com

First Name=user2 l=apac,dc=oracle,dc=com

Default l=users,dc=oracle,dc=com

Default
Default l=roles,dc=oracle,dc=com

Reply
vin says August 10, 2012

Sorry, the act_key rule is as below –

act_key=21 l=amer,dc=oracle,dc=com

act_key=22 l=apac,dc=oracle,dc=com

act_key=23 l=ajac,dc=oracle,dc=com

Default l=users,dc=oracle,dc=com

Default
Default l=roles,dc=oracle,dc=com

Reply
vin says August 10, 2012

Sorry, the act_key rule is as below –

act_key=21 l=amer,dc=oracle,dc=com

act_key=22 l=apac,dc=oracle,dc=com

act_key=23 l=ajac,dc=oracle,dc=com

Default l=users,dc=oracle,dc=com

Default
Default l=roles,dc=oracle,dc=com

Reply
» Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts Online Apps DBA: One Stop Shop for Apps DBA’s says October 9, 2012

[…] OAM & OAAM. Users between OIM & OID are synced using libOVD or OVD . More on libOVD in OIM here and here d) OIM is used for password reset and account unlock More on How lock/unlock should […]

Reply
» OIM User Creation : An Error occurred while performing create user operation. Unable to get LDAP connection Online Apps DBA: One Stop Shop for Apps DBA’s says October 25, 2012

[…] installation or later can be integrated with LDAP server using LDAPSync . More on LDAP Sync here, here, […]

Reply
» Your account is locked. You can unlock your account by going to Forgot Password Online Apps DBA: One Stop Shop for Apps DBA’s says November 20, 2012

[…] this case) using LDAPSync (OIM should be configured with LDAPSync enabled. More on LDAPSync here, here, and here). This process will also clear two attributes obLockoutTime, and obLoginTryCount (OAM […]

Reply
» User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM are not locked in OIM Online Apps DBA: One Stop Shop for Apps DBA’s says December 5, 2012

[…] 5th, 2012 byAtul Kumar in oam, oid, OIM When you enable LDAPSync (More on LDAPSYnc here, here, and here ) in OIM 11g (LDAPSync is mandatory to integrate OIM with OAM for SSO), users […]

Reply
» OIM 11g : How to find User and Manager details : USR table Online Apps DBA: One Stop Shop for Apps DBA’s says December 30, 2012

[…] LDAP Server (If OIM is configured with LDAP SYNC) to know more about LDAP SYNC with OIM 11g click here, here, […]

Reply
» OIM integrated with OAM (SSO) showing OIM login screen : User Soft Locked Online Apps DBA: One Stop Shop for Apps DBA’s says April 28, 2013

[…] will see error in OIM logs as ‘<user> No Such User‘): Make sure LDAPSync (more here and here) is enabled between OIM and LDAP (configured as Identity Store in OAM) . More on […]

Reply
Add Your Reply