Ran into a small gotcha while configuring the LDAP Sync for OIM. In step 13.7 of the Enterprise Deployment guide you are setting the LDAPSync parameters while running the OIM configuration utility. The docs seem to indicate that you are only entering a relative DN for the users and roles containers, that the rest of the DN root is defined elsewhere. We were getting errors creating new users after configuring it this way, we realized it must not be building the full correct DN for new users.
To repair, export /db/LDAPContainerRules.xml from the metadata repository and change the containers from just the 'cn=Users' to the full dn root 'cn=Users,dc=company,dc=com' and likewise for the Roles. Reimport and you should be all set.
4 comments:
Can you tell me how to import and export metadata elements from the db folder in OIM? i see the file exists, but it shows xml entries as $DefaultUserContainer$
Thanks for your help.
You'll use the MDS command line utilites to export and import the files.
1) Look for the weblogic.properties file in the ORACLE_HOME/server/bin directory. Edit this file and set a path for the metadata_to_loc where you want the exported files to end up. You can set the from_loc at the same time.
A bit further down you will see the metadata_files= tag. to get the LDAP Sync related files add:
/db/LDAPUser,/db/RA_LDAPUSER.xml,/metadata/iam-features-ldap-sync/LDAPUser.xml,/db/LDAPContainerRules.xml
2) Add the setWLSEnv.sh to your environment, this is located in wlserver_10.3/server/bin.
3) Run the ORACLE_HOME/iam/server/bin/weblogicExportMetadata.sh file. It will prompt you for weblogic admin username and password and management URL. This will write those files out to the directory you specified.
4) Edit the files as needed. Then run the weblogicImportMetadata.sh script. This will take all the files located under the directory specified in the metadata_from_loc and import them into MDS.
Hello,
If you use LDAP sync option in OIM, you will not be able to use password features such as reset password at first logon, challenge qns and answers, account lockout etc.,?
So how would you handle this situation then? I could see LDAP sync as a very good option, however OIM is used for identity management purpose from 11g and how does password features be handled?
-Mahendra.
Mahendra,
We are using OAM as the front-end access manager to OIM. This is integrated with OID and is able to properly handle force password changes, account lockouts, etc. OIM sets appropriate flags in OID that signal to OAM how to handle the login. If you aren't using OAM, you would likely need to modify your login code to handle the various modes. So if for example you reset a password in OIM it will also set the force password change flag and then it will prompt the person to reset their password and next login.
Eric
Post a Comment