3 Replies Latest reply: Nov 7, 2012 11:19 AM by gbw RSS

    Password not propagating to AD

    968992
      Hi
      Im using OIM 11.1.1.3

      My event handler uses setXelleratePassword method to reset OIM user password. Ideally this should also update the password in AD. But this does not happen.

      When i manually change OIM profile password, the Change user password task is not triggered ( it is not visible in AD Profile Resource History )

      When i try to update AD profile password, the password updated task gets rejected with connectionException

      Following are the AD logs for the password updated task:
      [2012-11-06T13:37:42.787-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : setUserPassword : AD User Password Set Operation Failed:10.10.40.53:636
      [2012-11-06T13:37:42.789-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] ====================================================[[

      ]]
      [2012-11-06T13:37:42.792-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] ================= Start Stack Trace =======================
      [2012-11-06T13:37:42.793-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : setUserPassword
      [2012-11-06T13:37:42.795-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] 10.10.40.53:636
      [2012-11-06T13:37:42.796-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] Description : 10.10.40.53:636
      [2012-11-06T13:37:42.798-08:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JfNe3uMD0j05Rzk3yd1GaNdS00003g,0] [APP: oim#11.1.1.3.0] [dcid: 38c50f781ae30cd4:2db52bb9:13ad7878293:-7ffd-0000000000000132] com.thortech.xl.exception.ConnectorException: 10.10.40.53:636[[

      What is the probable cause and how i should go about debugging?

      Thanks
        • 1. Re: Password not propagating to AD
          Nishith Nayan
          this method won't trigger the update to AD. Use ChangePassword method of UserManager

          UserManger um=Platform.getService(UserManager.class);
          um.changePassword(userkey, password.toCharArray(), false); or um.changePassword(userlogin, password.toCharArray(), true);

          pass userkey and userlogin in string. it will be good
          • 2. Re: Password not propagating to AD
            Dhananjay Neeraj2
            Please validate whether the Lookup.USR_PROCESS_TRIGGERS has the following entry:-

            USR_PASSWORD Change User Password

            NOTE:- IT IS STRICTLY CASE SENSITIVE

            Then in the "AD User" provisioning process definition workflow, there should be one "Change User Password" process task...


            In this task by using a simple Transfer Adapter, the password should flow from the OIM User Profile to AD User process form...

            How to create a Transfer Adapter:-

            Adapter Name:- Transfer Adapter Process Task
            Adapter Type:- Process Task
            Description:- Transfer Adapter Process Task
            Variable:- input (of Type String) Resolve at Runtime
            Adapter Task:- Logical Task... Set Adapter Return Value --> Variable --> input
            Save... Build... Compile...
            Thus you have created your generic transfer adapter...

            In the Process Definition, in the Change User Password task... Attach Transfer Adapter Process Task...

            input --> User Definition --> Password
            Adapter Return Value --> Process Data --> Password...

            It is quite convenient way of passing Password from User profile to Process data Password without writing any custom code...
            • 3. Re: Password not propagating to AD
              gbw
              The post above should solve the issue of the OIM password not propagating to the AD form, but it seems from the log that you are still having a problem getting OIM to actually set the password in AD. Make sure you have followed the steps for SSL config, namely the cert export from AD into OIM's keystore.

              http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#autoId28