This content has been marked as final. Show 24 replies
See this is a bit different from the pre-populate part. If you want a process task to get invoked if the "Change Password At Next Logon" attribute is updated. Then first of all you need to add this attribute to the lookup- "Lookup.USR_PROCESS_TRIGGERS". Create an entry for the following :
Code Key - Decode Key
USR_CHANGE_PWD_AT_NEXT_LOGON - Change password at next Login
Create a process task in the 'AD User provisioning ' process with the name -"Change password at next Login" as specified above. Map this process task to the adapter with the peice of code above to return the value as '0' or '1'. Simply return the variable from this task to the target field in AD User form.
You should be done. Also to let you know that the code you have pasted was also appearing as correct. Just put in some loggers to see where it was breaking.
Edited by: rajsunny on Nov 24, 2009 5:39 PM
Thanks Sunny !
Yes, I have the set up exactly the way you described.
For the code I wrote, it breaks at the moUserUtility.findUsers(userData) call.
Exception occured while executing returnChangePwdNextLogon.java.lang.NullPointerException
There is no issue with the input data. User does exist in OIM. As I said earlier, the same code works if I test using a scheduled task !
I suspect some integration friction while using the code in a process task adapter.
Any pointer on this error message?
Note on version details - OIM version: 18.104.22.1682.24, Application Server: Oracle Application Server 10.1.3.3
Edited by: o.r.c.l on Nov 24, 2009 2:35 PM
Thanks for the suggestion Rajiv! I did try with findAllUsers method - same result (java.lang.NullPointerException)
This particular field is missing from table 22.214.171.124 User Definition
Is it feasible to fetch the user column through OIM API ?
I've managed to develop a work around to propagate "Change Password at next logon" from OIM to AD.
However, yet to figure out how to reset "Change Password at next logon" attribute in OIM once the user changes password in AD and hence "User must change password at next logon" gets cleared in AD -
at this point AD Pwd sync connector (9.1.1) updates OIM with the new password but does not provide any explicit field to track the password change.
Here is the work around for OIM to AD update:
Since USR_CHANGE_PWD_AT_NEXT_LOGON field is not directly available in process task adapter, you may create a UDF and use it in the process task adapter.
Please do make an entry for this UDF in USR_PROCESS_TRIGGERS.
This UDF has to be updated as follows:
Develop a custom event handler to fetch OIM user's "Users.Change Password At Next Logon" field (USR_CHANGE_PWD_AT_NEXT_LOGON);
Value would be either 0 or 1. Then, update the UDF with this value.
Attach the event handler in Post Update trigger of Users Data Object Manager Form.
Any clue on AD to OIM part ?
There is a simpler workaround for the OIM -> AD part.
1. Create a trigger and process task for the USR_CHANGE_PWD_AT_NEXT_LOGON field as normal. Since you can't select this field in the adapter mappings, pick and old field.
2. Now export the AD User process to xml.
3. Edit the exported xml of your process task, and replace the field you picked with USR_CHANGE_PWD_AT_NEXT_LOGON. Update the MAV_MAP_QUALIFIER field as well with a description. Re-import the xml.
Now when you look at your adapter mappings in the Design Console, you'll see your description in the drop-down list. This works for any OIM attribute that is missing on the Task Adapter UI.
To reset the flag in OIM, we simply made a Post-Update Event Handler on the USR table that resets the flag in OIM whenever it is set. Let AD take care of the forced password change.
Thanks a ton. Let me test this solution.
Could you please clarify - To reset the flag in OIM, we simply made a Post-Update Event Handler on the USR table that resets the flag in OIM whenever it is set.
Do you mean to check only for 'ChangePwdNextLogon is enabled' in OIM, then reset on post update event ?
If so, won't this operation trigger the process task and reset the flag in AD as well (even if user is yet to change pwd in AD)?
Edited by: o.r.c.l on Dec 4, 2009 11:48 AM
I managed to map USR_CHANGE_PWD_AT_NEXT_LOGON field in the process task (by editing configuration as xml).
Now, the open issue is the order of execution of process tasks in AD User provisioning form (detailed below).
When you change OIM user pwd with USR_CHANGE_PWD_AT_NEXT_LOGON checkbox enabled, (descending) order of execution of AD User Process Tasks:
3.Change User Password
2.User must change password at next logon Updated
1.Change Pwd At Next Logon
Since "Change User Password" task gets executed AFTER "Change With Pwd At Next Logon" task,
the corresponding user pwd gets updated BUT the user must change pwd at next logon field is not enabled in AD.
Need to ensure "Change User Password" task gets executed first and then "Change Pwd At Next Logon" task.
Tried with Task Dependency configuration between all the above four tasks but in vain.
Any suggestion ?