3 Replies Latest reply: Mar 16, 2013 11:24 AM by 918074 RSS

    OIM Provisioning to different AD domains

    918074
      Hi experts,

      OIM 11gR2.

      We have 2 different AD domains like usa.example.com and uk.example.com. We have installed AD 11g connector in OIM and connector server in each domain. We have created *2 different IT Resources* one for usa domain and uk domain of IT Resource type AD.
      IT Resource Name| IT Resource Key
      USA AD ->17
      UK AD->27
      Provisioning to these domains depends on location field in user profile. If location is uk then we are populating *27~<org dn>* in the organization field and if the location is usa then we are populating *17~<org dn>* in AD process form.

      But when we try to provision user to UK domain, OIM is not picking UK IT Resource details instead it is picking USA IT resource details which results in create user task getting rejected. And the provisioning works for usa domain(which is default IT Resource) only. The problem is it is connecting to USA IT Resource but not UK IT Resource even though i specify uk itresource key in organization field(like 27~<org dn>).

      The error we are getting in the logs are

      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> GetDirectoryEntry, Message -> Using the auth type as Secure
      3/15/2013 10:52:08 AM <INFORMATION>: Class-> ActiveDirectoryUtils, Method -> GetDirectoryEntry, Message -> Creating Directory Entry with path: LDAP://OU=Users,OU=UK,OU=ABC,DC=UK,DC=example,DC=com, DirectoryAdminName = usa.example.com\labadmin, DirectoryAdminPassword = **********, authtype = Secure*
      In the above line for DirectoryAdminName it is clearly shows that it is connecting to USA domain instead of UK domain.
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> getADSPathName, Message -> Method Exiting. Returning IADsPathName with path = LDAP://CN=Test User,OU=Users,OU=UK,OU=ABC,DC=UK,DC=example,DC=com
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> GetNameAsCN, Message -> Exiting the method. Return value = CN=Test User
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> GetRelativeName, Message -> Exiting the method. Return value = CN=Test User
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Method Entered
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Parameter objectClass: ObjectClass: __ACCOUNT__
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Returning the object class: ObjectClass: __ACCOUNT__ and exiting the method
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> GetADObjectClass, Message -> Method Entered. Parameter oclass = __ACCOUNT__
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryUtils, Method -> GetADObjectClass, Message -> Exiting the method. Returning the objectClass = User
      3/15/2013 10:52:08 AM <INFORMATION>: Class-> ActiveDirectoryConnector, Method -> Create, Message -> Added the directory entry successfully.
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Method Entered
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Parameter objectClass: ObjectClass: __ACCOUNT__
      3/15/2013 10:52:08 AM <VERBOSE>: Class-> ActiveDirectoryConnector, Method -> TranslateObjectClass, Message -> Returning the object class: ObjectClass: __ACCOUNT__ and exiting the method
      3/15/2013 10:52:08 AM <INFORMATION>: Class-> ActiveDirectoryConnector, Method -> Create, Message -> Committing the changes and creating the directory entry.
      3/15/2013 10:52:08 AM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Access is denied.


      How to tell OIM to choose different IT resource based on organization name in process form?

      I even tried putting UK IT Resource as default value in AD Server process form field but still provisioning fails with same error.

      We have same setup in OIM 10g and it worked with this configuration without cloning the connecor. Looking for similar way to work in R2 too.

      Any help is highly appreciated.

      Thanks
        • 1. Re: OIM Provisioning to different AD domains
          user9212679
          Try creating 2 rule with the condition on the basis of Org Name in Design console and then in prepopulate adapter in Form Designer create IT resource field 2 times and assign the rules to the field.

          In this way depending on the Org name IT resource field will be automatically populated.

          HTH
          • 2. Re: OIM Provisioning to different AD domains
            BikashBagaria
            As already mentioned in previous reply, you can use a prepopulate adapter to set the appropiate IT resource on the process form. But since you said, that you already tried by setting the default value to UK IT Resource and it failed, my question is how about the admin user permissions? Did the user you mentioned in the UK IT Resource had permissions to create user under the uk domain? Also looks like you have a forest architecture for us and uk, and from the logs here I can see that the user you are using for connector operations is in the US domain, so check for permissions. Another question would be about your connector server, which domain is it running on? What user is it running the process as? The user which is set as 'Run AS' for the connector server should have write permissions on both the domains in the forest.

            -Bikash
            • 3. Re: OIM Provisioning to different AD domains
              918074
              I can provision user to UK domain when I create new app instance with AD User RO and UK IT Resource Instance. So it is not problem with permissions and connector server in the domain.

              The root cause of the issue is..
              The app instance which is created for AD is combination of AD User RO and default AD IT Resource. So when a user is provisioned to this app instance it always take IT Resource key used when creating app instance and provision user based on the connection parameters from this IT Resource no matter what you prepopulate different IT Resource in AD process form. We can create new app instance for 3 different AD IT resource instances and same AD User RO but customer is NOT ready to create new app instances for same RO.

              How to achieve this requirement??