6 Replies Latest reply: Apr 10, 2013 6:44 AM by lloberg RSS

    Groups Entitlements

    User236522
      Hi All,

      I am using OIM 11gR2 BP01 (on weblogic 10.3.6 2 node cluster) and activedirectory-11.1.1.5.0 with patch ( p14190610) Connector for AD

      I have a weird issue,

      All my groups are reconciled properly in the IDM,
      All my users are reconciled (Trusted + Target) perfectly in IDM.

      PPROBLEM:

      1- The Groups in Child form are not being displayed, it is showing empty rows for the groups assigned to the user, i.e if the user is assigned 3 groups it is showing 3 empty rows if 5 groups it showing 5 empty rows. Nothing is shown in the Entitlements Tab, I have checked in the backed database in UD_ADUSRC table the data is present properly.

      2- From IDM webconsole at Identity URL, I can perform Modification to the AD account of a user and add a new group for him now it is being shown in the Child form along with other empty rows for already existing groups, it is also shown in the Entitlement Tab.

      3- No if I make changes from the Domain Controller AD server to this user and add/remove the a group (and some other attribute to change the time-stemp) and run AD Target Reconciliation, then check the Child form of the same user, all the rows (including the latest added) are again shown empty and the data from Entitlements Tab is also removed.

      All above test cases are working fine in my identical test environment (Single node weblogic), so i know that what ever the test I am doing is valid. I don't know what is missing in my production that its having this issue. please let me know if anyone has any idea.

      Regards
        • 1. Re: Groups Entitlements
          idamGod
          As per Oracle docs, this is an existing issue.
          Take a look on the below Oracle release note:
          http://docs.oracle.com/cd/E27559_01/relnotes.1112/e35820/id_mgr.htm#CHDDGDCC

          Go through the Patch1 doc/release note and verify if it is fixed or not.
          • 2. Re: Groups Entitlements
            User236522
            HI ,

            Thanks for your reply as I have mentioned, the same scenario is working fine in my test system so apparently it is not the issue that you have mentioned......

            The only difference that I have noticed in the properties of the group form in between My test system and production is that

            -in test the lookup field is having no value it is blank

            http://i1250.photobucket.com/albums/hh523/zaffariqbal/Snapshots/Test_zps6df3ec4f.png

            -where as in the production system it is having a value

            http://i1250.photobucket.com/albums/hh523/zaffariqbal/Snapshots/Production_zps0fc9a212.png

            in the design console for the both there is no difference all is same for both

            any comments?

            Regards
            • 3. Re: Groups Entitlements
              User236522
              Hi All,

              I have noticed the following,

              If I assign the Entitlement or assign Group from Modify Account it is assigned properly with the proper name defined in the AD (Upper+ Lower Case i.e “IDMGroup”) and shown in under Entitlements Tab and in Groups Form.

              http://i1250.photobucket.com/albums/hh523/zaffariqbal/Snapshots/beforeTargetRecon-LowerCase_zps8c4cd005.png


              During AD User Target Reconciliation the “Group Name” attribute value changes to all to UPPER case i.e IDMGROUP along with the complete DN. (See Screenshots) .

              http://i1250.photobucket.com/albums/hh523/zaffariqbal/Snapshots/AD_USRC-changed-to-Uppercase-after-targer-Recon_zps73816a76.png

              http://i1250.photobucket.com/albums/hh523/zaffariqbal/Snapshots/targetRecon-inUppercase_zps29d8e209.png





              Since there is a trigger defined in the UD_ADUSRC table that checks and compares the Group Name value to be placed in the Entitlements table, I believe it fails to make the comparison with the existing value that is in mixed characters.

              Following is the trigger

              CREATE OR REPLACE TRIGGER UD_ADUSRC_ENT_TRG
              AFTER INSERT
              OR DELETE
              OR UPDATE OF UD_ADUSRC_GROUPNAME
              ON UD_ADUSRC
              FOR EACH ROW
              BEGIN
              CASE
              WHEN INSERTING THEN
              OIM_SP_MANAGEENTITLEMENT('UD_ADUSRC',:NEW.UD_ADUSRC_GROUPNAME,NULL,
              :NEW.UD_ADUSRC_KEY,:NEW.ORC_KEY,NULL,NULL,NULL,
                   NULL,NULL,'INSERT');
              WHEN UPDATING THEN
              IF :NEW.UD_ADUSRC_GROUPNAME != :OLD.UD_ADUSRC_GROUPNAME
              THEN
              OIM_SP_MANAGEENTITLEMENT('UD_ADUSRC',:NEW.UD_ADUSRC_GROUPNAME,
              :OLD.UD_ADUSRC_GROUPNAME,:NEW.UD_ADUSRC_KEY,:NEW.ORC_KEY,NULL,
                        NULL,NULL,
                        NULL,NULL,'UPDATE');
              END IF;
              WHEN DELETING THEN
              OIM_SP_MANAGEENTITLEMENT('UD_ADUSRC',:OLD.UD_ADUSRC_GROUPNAME,
              NULL,NULL,:OLD.ORC_KEY,NULL,NULL,NULL,
                   NULL,NULL,'DELETE');
              END CASE;
              END;
              /

              I believe that if we can identify that why during the reconciliation the Group Name is being reconciled in uppercase? It can solve the issue.
              • 4. Re: Groups Entitlements
                User236522
                OK, I have got it fixed.
                • 5. Re: Groups Entitlements
                  lloberg
                  Hi

                  Could you explain how you solved this? I'm experiencing the same issue now.

                  Thanks
                  • 6. Re: Groups Entitlements
                    lloberg
                    Problem solved with patch 14190610.