9 Replies Latest reply on Feb 4, 2014 2:29 AM by Abhishek Singh 'J_IDM'

    how to change LDAP sync Username?

    user12049102

      Hello,

       

      I am running  on OIM 11gr2 PS1.

       

      The LDAP sync currently creates the OID account and sets the OID username to be "FirstName" + space + "LastName".  I would like to change the OID username to match the OIM userlogin.  How can I change this?

       

      I also need to make the same change such that when LDAP sync reconciliation is run it will reconcile the OID username to the OIM user login for a match.

       

      Thanks

       

      Khanh

        • 1. Re: how to change LDAP sync Username?
          user12049102

          I figured it out.

           

          If I populate the USR_COMMON_NAME column (Attribute=Common Name) with the USR_LOGIN, then the cn of the corresponding OID account is now matching with the OIM user login.

           

          Khanh

          • 2. Re: how to change LDAP sync Username?
            Kevin Pinsky

            You can create a common name generation plugin.   Here is a sample blog post.

             

            http://venkatanunna.blogspot.com/2013/03/custom-common-name-generation-policy.html

             

            -Kevin

            • 3. Re: how to change LDAP sync Username?
              Abhishek Singh 'J_IDM'

              Its always better to have first name and last name combination for common name which OOTB OIM provides including uniqueness check.

               

              If you just need User Login in OID same as OIM user login, then can you please check the mappings of attributes in LDAPUser.xml?

               

              Directly you  can map in this xml and no need to any other activities.

              ~J

              • 4. Re: how to change LDAP sync Username?
                Kevin Pinsky

                User First and Last name combination will quickly cause conflict errors because you will most likely have 2 users with the same first and last name. CN must be unique (the full DN is actually unique, but if your users are all in the same ou, then the CN must be unique) I would suggest changing this and having code that will check for conflicts and provide a unique value.

                 

                -Kevin

                • 5. Re: how to change LDAP sync Username?
                  Abhishek Singh 'J_IDM'


                  Hi Kevin,

                   

                  The OOTB common name generation generates "LastName, First Name", "LastName1, FirstName" ..it follows some series and does not generate conflicting common names.

                   

                  ~J

                  • 6. Re: how to change LDAP sync Username?
                    user12049102

                    Thank you for your input.

                     

                    I checked the Oracle documentation and found there are 2 LDAPUser.xml file I need to map the attribute.

                     

                    For Provisioning:/metadata/iam-features-ldap-sync/LDAPUser.xml

                    Change FROM:

                    <attribute-map>

                    <entity-attribute>Common Name</entity-attribute>

                    <target-field>cn</target-field>

                    </attribute-map>

                     

                    TO:

                    <attribute-map>

                    <entity-attribute>User Login</entity-attribute>

                    <target-field>cn</target-field>

                    </attribute-map>

                     

                    For Reconciliation:/db/LDAPUser

                    <targetAttribute mls="false" required="false" encrypted="false" keyField="false" type="String" name="uid">

                    <stagingField length="256" type="String" name="RECON_USR_LOGIN"/>

                    <oimAttribute fieldName="USR_LOGIN" fieldType="String" type="String" name="User Login"/>

                    </targetAttribute>

                    <targetAttribute mls="false" required="false" encrypted="false" keyField="false" type="String" name="cn">

                    <stagingField length="240" type="String" name="RECON_CN"/>

                    <oimAttribute fieldName="USR_COMMON_NAME" fieldType="String" type="String" name="Common Name"/>

                    </targetAttribute>

                     

                    What do I change in the LDAPUser for reconciliation?  I believe I don't need to change anything on this side.  Would you agree?

                     

                    Thanks

                     

                    Khanh

                    • 7. Re: how to change LDAP sync Username?
                      Abhishek Singh 'J_IDM'

                      You dont need to change anything for reconciliation.

                      You can test it and can confirm?

                       

                      ~J

                      • 8. Re: how to change LDAP sync Username?
                        user12049102

                        When I tried to change the LDAPUser.xml for provisioning, I received an error on the OIM Admin Console:

                         

                        IAM-3010183: An error occurred while checking if a user already exists with the Common Name generated.

                         

                        The log showed:

                        [2014-02-03T14:10:27.470-07:00] [oim_server1] [WARNING] [] [oracle.adf.controller.faces.lifecycle.Utils] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 11ef0582403e758b:1916e216:143f95f0be2:-8000-000000000000014a,0] [APP: oracle.iam.console.identity.self-service.ear#V2.0] ADF: Adding the following JSF error message: IAM-3010191 : An error occured while verifying if Common Name is unique.[[

                        oracle.iam.ui.platform.exception.OIMRuntimeException: IAM-3010191 : An error occured while verifying if Common Name is unique.

                                at oracle.iam.ui.platform.exception.OIMErrorHandler.reportServiceException(OIMErrorHandler.java:170)

                                at oracle.iam.ui.platform.exception.OIMErrorHandler.reportException(OIMErrorHandler.java:65)

                                at oracle.adf.model.binding.DCDataControl.reportException(DCDataControl.java:411)

                                at oracle.adf.model.binding.DCBindingContainer.reportException(DCBindingContainer.java:416)

                                at oracle.adf.model.binding.DCBindingContainer.reportException(DCBindingContainer.java:471)

                                at oracle.adf.model.binding.DCControlBinding.reportException(DCControlBinding.java:201)

                                at oracle.jbo.uicli.binding.JUCtrlActionBinding.reportException(JUCtrlActionBinding.java:2016)

                         

                        When I created the user, I left the Common Name blank (the same way I did before I modified the LDAPUser.xml).

                         

                        So, I don't think the mapping of User Login to cn works.

                         

                        Khanh

                        • 9. Re: how to change LDAP sync Username?
                          Abhishek Singh 'J_IDM'

                          Hi,

                           

                          Looks like your user id already exists in target OID.

                           

                          You can clear all your OID entries because goining forward all OID account should get created via OIM.

                           

                          ~J