5 Replies Latest reply: Jan 23, 2013 12:08 AM by User236522 RSS

    OIM 11gR2 user not provisioning to Active Directory (11.1.1.5 connector)

    942911
      Hello all,

      I'm trying to set up an OIM 11gR2 instance to work with Active Directory with the Active Directory 11.1.1.5.0 connector. I've full installed both OIM and AD on separate servers, and I've installed the AD 11.1.1.5 connector on OIM. I have configured Active Directory properly (connector on OIM and the connector server on the AD server-side), and have set up the two IT Resources on OIM. I can run, for example, the Active Directory Organization Lookup Recon job and have it return results in the Lookup window.

      My problem is that I cannot get it to provision to a user. I've created an Application Instance and Form for Active Directory, attached the Form, associated them with the appropriate resources (AD User), and added them to the Catalog, and then gone through the process of adding an account to the user, selecting the Application Instance, adding it to the cart, checking out, filling out the fields (Password, User ID, UPN, First Name, Last Name, Common Name, and Organization Name), and then submitting the request. This is all done as the xelsysadm admin user, but it still results with the account stuck on "Provisioning" because the "Create User" task failed due to a Connector Error (the reason stated is just a repeat of "Create Object" failed).

      Anyone know what I'm missing here?

      Thank you!

      Edited by: 939908 on Nov 12, 2012 6:36 AM
        • 1. Re: OIM 11g R2 user provisioning to Active Directory (11.1.1.5 connector)
          836252
          Check your Connector Logs for more details
          Task Response won't show much details about actual logs
          Also see your Process Form if all the required fields are populated correctly including Organization Field.
          • 2. Re: OIM 11g R2 user provisioning to Active Directory (11.1.1.5 connector)
            942911
            Hey 833249, thanks for your reply

            The organization field attribute is filled in correctly, in that the OU I selected exists in AD.

            These are the errors listed in the connector server log:

            +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception occured during the creation of directory entry.+
            +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Message : Logon failure: unknown user name or bad password.+

            +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Stack Trace : at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)+
            at System.DirectoryServices.DirectoryEntry.Bind()
            at System.DirectoryServices.DirectoryEntry.get_NativeObject()
            at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1423
            +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Unable to get the Directory Entry+
            +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1456+
            at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.DirectoryEntryExists(String path) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1512
            at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 219
            ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry
            at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
            at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
            at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
            at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
            at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609

            I'm not sure why the username/password error could be occurring, as those fields in the AD IT Resource are correct (I've run AD recon jobs that have connected properly). Is there something I'm missing?
            • 3. Re: OIM 11g R2 user provisioning to Active Directory (11.1.1.5 connector)
              NaveenThoddil
              The AD credentials provided in Acttive Directory IT resource is incorrect. The error says its unable to loginto the domain controller with the credentials provided.

              Thanks
              • 4. Re: OIM 11g R2 user provisioning to Active Directory (11.1.1.5 connector)
                user12116683
                I also see the same issue. 939908, were you able to resolve this?

                Thanks,
                • 5. Re: OIM 11g R2 user provisioning to Active Directory (11.1.1.5 connector)
                  User236522
                  hi check 3 things,

                  1-The user that you are using in AD connector is having rights to create the user in AD, i.e it is an Administrator user?
                  2- Don't provide anything for other fields in the AD User Process form while provisioning, only provide the OU rest of the things are populated automatically.
                  3- Check the password policy on the AD, may be the password that you are providing for the user while provisioning is not allowed one at AD. i.e may be your AD requires complex password of certain length and you are trying to provision with simple or short password.

                  I hope it helps....