Create a rule
-------------
login to design console
go to rule designer
Create a rule type> Process Determination,
Sub- Type > Approval
Process >
Request Object Action == "Disable"
Thursday, December 10, 2009
OIM - Addapproval process for disabling a resource
These steps help on how to add the approval workflow for disabling a resource
Create a rule
-------------
login to design console
go to rule designer
Create a rule type> Process Determination,
Sub- Type > Approval
Process >
Request Object Action == "Disable"
Create a rule
-------------
login to design console
go to rule designer
Create a rule type> Process Determination,
Sub- Type > Approval
Process >
Request Object Action == "Disable"
Monday, November 23, 2009
Modify Active Directory cn attribute
You can rename an object in a context by using Context.rename().
// Rename from Dilip Nimse to Dilip N
ctx.rename("cn=Dilip Nimse", "cn=Dilip N");
This example renames the object that was bound to "cn=Dilip Nimse" to "cn=Dilip N".
// Rename from Dilip Nimse to Dilip N
ctx.rename("cn=Dilip Nimse", "cn=Dilip N");
This example renames the object that was bound to "cn=Dilip Nimse" to "cn=Dilip N".
Monday, November 2, 2009
OIM Audit Module installation
http://download-east.oracle.com/docs/cd/B32386_01/generic.902/b32137/useraudit.htm
Metalink document ID
Doc ID: 369831.1
OIM Data Dictionary
Metalink document ID - 377992.1
1. Login to Link: https://metalink.oracle.com,
2. Search for the keyword 377992.1 in Knowledge Browser search.
3. download the zip file containing the datadictionary
http://download-east.oracle.com/docs/cd/B32386_01/generic.902/b32137/useraudit.htm
Metalink document ID
Doc ID: 369831.1
OIM Data Dictionary
Metalink document ID - 377992.1
1. Login to Link: https://metalink.oracle.com,
2. Search for the keyword 377992.1 in Knowledge Browser search.
3. download the zip file containing the datadictionary
Monday, September 21, 2009
OIM - Oracle SQL to find all the users and their resource status
Below Query will provide you the list of all the users and their resource Status.
SELECT usr.usr_login, usr.usr_first_name, usr.usr_last_name,
obj.obj_key, obj.obj_name, oiu.oiu_create, ost.ost_status, orc.orc_tos_instance_key
FROM orc, usr, obj, oiu, ost, obi
WHERE orc.orc_key = oiu.orc_key AND
oiu.usr_key = usr.usr_key AND
oiu.ost_key = ost.ost_key AND
oiu.obi_key = obi.obi_key AND
obi.obj_key = obj.obj_key
Below Query gives me all the records of users that are disabled/terminated prior to 50 days (from today) but their AD directory resource is not revoked yet.
SELECT usr.usr_login,
usr.usr_first_name,
usr.usr_last_name,
usr.usr_end_Date,
usr.usr_status "User Status",
ost.ost_status "AD Status",
sysdate - 50 "date comparison"
FROM orc,
usr,
obj,
oiu,
ost,
obi
WHERE orc.orc_key = oiu.orc_key AND
oiu.usr_key = usr.usr_key AND
oiu.ost_key = ost.ost_key AND
oiu.obi_key = obi.obi_key AND
obi.obj_key = obj.obj_key AND
obj.obj_name = 'AD User' AND
ost.ost_status != 'Revoked' AND
usr.usr_disabled = 1 AND
usr.usr_end_date < sysdate - 50
SELECT usr.usr_login, usr.usr_first_name, usr.usr_last_name,
obj.obj_key, obj.obj_name, oiu.oiu_create, ost.ost_status, orc.orc_tos_instance_key
FROM orc, usr, obj, oiu, ost, obi
WHERE orc.orc_key = oiu.orc_key AND
oiu.usr_key = usr.usr_key AND
oiu.ost_key = ost.ost_key AND
oiu.obi_key = obi.obi_key AND
obi.obj_key = obj.obj_key
Below Query gives me all the records of users that are disabled/terminated prior to 50 days (from today) but their AD directory resource is not revoked yet.
SELECT usr.usr_login,
usr.usr_first_name,
usr.usr_last_name,
usr.usr_end_Date,
usr.usr_status "User Status",
ost.ost_status "AD Status",
sysdate - 50 "date comparison"
FROM orc,
usr,
obj,
oiu,
ost,
obi
WHERE orc.orc_key = oiu.orc_key AND
oiu.usr_key = usr.usr_key AND
oiu.ost_key = ost.ost_key AND
oiu.obi_key = obi.obi_key AND
obi.obj_key = obj.obj_key AND
obj.obj_name = 'AD User' AND
ost.ost_status != 'Revoked' AND
usr.usr_disabled = 1 AND
usr.usr_end_date < sysdate - 50
Monday, August 10, 2009
Convert Date in to Active Directory (AD) date / datetime format
It has always bugged me whenever I delt with converting the date to Active directory date formats. Java's long date is not same as AD, As both of the applications start date are different.
Here is some sample code i have been using for long time now.
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import junit.framework.TestCase;
/**
* @author Dilip Nimse
*
*/
public class ADDateFunctions extends TestCase {
private static final long _TIME_DIFFERENCE = 0xa9735dcc400L;
private static final long _NANO_SECONDSPER_MILLI = 10000L;
/**
* @param name
*/
public ADDateFunctions(String name) {
super(name);
}
/* (non-Javadoc)
* @see junit.framework.TestCase#setUp()
*/
protected void setUp() throws Exception {
super.setUp();
}
/* (non-Javadoc)
* @see junit.framework.TestCase#tearDown()
*/
protected void tearDown() throws Exception {
super.tearDown();
}
private long convertDateToLong(Date date)
{
long longDate = date.getTime();
long l = longDate + _TIME_DIFFERENCE;
return l * _NANO_SECONDSPER_MILLI;
}
private Date convertLongToDate(long longDate)
{
long l = longDate / _NANO_SECONDSPER_MILLI;
long militime = l - _TIME_DIFFERENCE;
return new Date(militime);
}
private boolean isNoExpireDS(String s)
{
boolean flag = false;
if(s == null)
{
flag = true;
} else
{
s = s.trim();
Long long1 = new Long(1L);
try
{
long1 = Long.decode(s);
}
catch(NumberFormatException numberformatexception) { }
flag = flag long1.longValue() == 0L;
flag = flag s.length() == 0;
}
return flag;
}
public String datetoAD(String s, String dateFormat)
{
SimpleDateFormat simpledateformat = new SimpleDateFormat(dateFormat);
long l = 0L;
if(isNoExpireDS(s))
l = 0x7fffffffffffffffL;
else
try
{
Date date = simpledateformat.parse(s);
l = convertDateToLong(date);
}
catch(ParseException parseexception) { }
return new String(Long.toString(l));
}
public String adDatetoDate(String s, String dateFormat)
{
SimpleDateFormat simpledateformat = new SimpleDateFormat(dateFormat);
long l = Long.parseLong(s);
Date date = convertLongToDate(l);
return new String(simpledateformat.format(date));
}
public void testGetADDate(){
System.out.println("Lets test the AD Date Conversions") ;
String s = new String("05/15/2009");
System.out.println("Active Directory Date Format for " + s + " is : " + datetoAD(s, "MM/dd/yyyy"));
String s1 = datetoAD(s, "MM/dd/yyyy");
System.out.println("Active Directory Date " +s1 + " converted back to Calendar date is : " + adDatetoDate(s1, "MM/dd/yyyy"));
}
}
Here is some sample code i have been using for long time now.
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import junit.framework.TestCase;
/**
* @author Dilip Nimse
*
*/
public class ADDateFunctions extends TestCase {
private static final long _TIME_DIFFERENCE = 0xa9735dcc400L;
private static final long _NANO_SECONDSPER_MILLI = 10000L;
/**
* @param name
*/
public ADDateFunctions(String name) {
super(name);
}
/* (non-Javadoc)
* @see junit.framework.TestCase#setUp()
*/
protected void setUp() throws Exception {
super.setUp();
}
/* (non-Javadoc)
* @see junit.framework.TestCase#tearDown()
*/
protected void tearDown() throws Exception {
super.tearDown();
}
private long convertDateToLong(Date date)
{
long longDate = date.getTime();
long l = longDate + _TIME_DIFFERENCE;
return l * _NANO_SECONDSPER_MILLI;
}
private Date convertLongToDate(long longDate)
{
long l = longDate / _NANO_SECONDSPER_MILLI;
long militime = l - _TIME_DIFFERENCE;
return new Date(militime);
}
private boolean isNoExpireDS(String s)
{
boolean flag = false;
if(s == null)
{
flag = true;
} else
{
s = s.trim();
Long long1 = new Long(1L);
try
{
long1 = Long.decode(s);
}
catch(NumberFormatException numberformatexception) { }
flag = flag long1.longValue() == 0L;
flag = flag s.length() == 0;
}
return flag;
}
public String datetoAD(String s, String dateFormat)
{
SimpleDateFormat simpledateformat = new SimpleDateFormat(dateFormat);
long l = 0L;
if(isNoExpireDS(s))
l = 0x7fffffffffffffffL;
else
try
{
Date date = simpledateformat.parse(s);
l = convertDateToLong(date);
}
catch(ParseException parseexception) { }
return new String(Long.toString(l));
}
public String adDatetoDate(String s, String dateFormat)
{
SimpleDateFormat simpledateformat = new SimpleDateFormat(dateFormat);
long l = Long.parseLong(s);
Date date = convertLongToDate(l);
return new String(simpledateformat.format(date));
}
public void testGetADDate(){
System.out.println("Lets test the AD Date Conversions") ;
String s = new String("05/15/2009");
System.out.println("Active Directory Date Format for " + s + " is : " + datetoAD(s, "MM/dd/yyyy"));
String s1 = datetoAD(s, "MM/dd/yyyy");
System.out.println("Active Directory Date " +s1 + " converted back to Calendar date is : " + adDatetoDate(s1, "MM/dd/yyyy"));
}
}
Friday, July 17, 2009
tcReconciliationOperationsBean.processReconDataField
When you create a reconciliation event in OIM you may see below error
ERROR [org.jboss.ejb.plugins.LogInterceptor] RuntimeException in method: public abstract long com.thortech.xl.ejb.interfaces.tcReconciliationOperations.createReconciliationEvent(java.lang.String,java.util.Map,boolean) throws Thor.API.Exceptions.tcAPIException,Thor.API.Exceptions.tcObjectNotFoundException,java.rmi.RemoteException:
java.lang.NullPointerException
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.processReconDataField(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.createReconciliationEvent(Unknown Source) at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.createReconciliationEvent
Solution
---------------
When you see this error it will not even create a recon Event , so it is really hard to find what is happening.
Stupid OIM logs does not even show you for which field it is throwing an error.
So Basically Find all the fileds that are part of the reconciliation, Then check what values are being passed to these fileds
IF there is any null values being passed pass an empty String, or do not even add this field as part of reconciliation Map.
ERROR [org.jboss.ejb.plugins.LogInterceptor] RuntimeException in method: public abstract long com.thortech.xl.ejb.interfaces.tcReconciliationOperations.createReconciliationEvent(java.lang.String,java.util.Map,boolean) throws Thor.API.Exceptions.tcAPIException,Thor.API.Exceptions.tcObjectNotFoundException,java.rmi.RemoteException:
java.lang.NullPointerException
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.processReconDataField(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.createReconciliationEvent(Unknown Source) at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.createReconciliationEvent
Solution
---------------
When you see this error it will not even create a recon Event , so it is really hard to find what is happening.
Stupid OIM logs does not even show you for which field it is throwing an error.
So Basically Find all the fileds that are part of the reconciliation, Then check what values are being passed to these fileds
IF there is any null values being passed pass an empty String, or do not even add this field as part of reconciliation Map.
Wednesday, June 3, 2009
OIM - Exchange connector creating multiple mail stores
You may be surprised to see that Exchange connector sometimes creates multiple mailboxes. I spent so much time to figure out why it is happening.
I would say it is Exchange 2003's one of ha ha.. behaviour
If you have a welcome/Initial email sent from the nonconditional task such as create mailbox task . This is a the culprit.
Never create a mailbox and send an email at the same time (if you are doing this through code) . You should instead write a scheduled task to send emails this task should check that if the Exchange resource is provisioned or not if it is provisioned then only send an email.
you have to do this because, Exchange server takes its own sweet time to create a mailbox. so be carefull when you see a wierd behaviour of Exchange server. when using an Excahnge connector with Oracle Identity Management.
I would say it is Exchange 2003's one of ha ha.. behaviour
If you have a welcome/Initial email sent from the nonconditional task such as create mailbox task . This is a the culprit.
Never create a mailbox and send an email at the same time (if you are doing this through code) . You should instead write a scheduled task to send emails this task should check that if the Exchange resource is provisioned or not if it is provisioned then only send an email.
you have to do this because, Exchange server takes its own sweet time to create a mailbox. so be carefull when you see a wierd behaviour of Exchange server. when using an Excahnge connector with Oracle Identity Management.
com.thortech.xl.dataobj.util.tcAttributeSource.getAttrColumnName
Value: java.lang.NullPointerException
at com.thortech.xl.dataobj.util.tcAttributeSource.getAttrColumnName(Unknown Source)
There are many reason you get this error when trusted recon is done. and there is a little way to find why this is happening.
One reason why this happens is when you change the form field label in User Profile you should go in process definition of each field and remap the attributes.
Ex: Say you have a field called UD_USR_PHONE and label is "Phone" . This field has been mapped in your reconciliation.
Now your client says I don't this label I want new label called "Full Phone" instead of just "Phone".
You should go in every process definition where you might have mapped phone & re-map it to full phone. If you do not do this exercise you will get above error.
at com.thortech.xl.dataobj.util.tcAttributeSource.getAttrColumnName(Unknown Source)
There are many reason you get this error when trusted recon is done. and there is a little way to find why this is happening.
One reason why this happens is when you change the form field label in User Profile you should go in process definition of each field and remap the attributes.
Ex: Say you have a field called UD_USR_PHONE and label is "Phone" . This field has been mapped in your reconciliation.
Now your client says I don't this label I want new label called "Full Phone" instead of just "Phone".
You should go in every process definition where you might have mapped phone & re-map it to full phone. If you do not do this exercise you will get above error.
Wednesday, April 22, 2009
OIM - System Administrator initial login time is greater than usual
When Sys Admin tries to login to OIM basically executes tree queries to display the counts for his pending approvals , open tasks etc to avoid this you can do following
From Design console go to System Configuration
search for "XL.WebAdminHome.CounterDisplay.Type"
change values from "DayLimit" to "CheckLink"
if this property is not available in design console then do following.
See Oracle Metalink Doc 741590.1 for all the details, In short do following:
Edit the WEB-INF/classes/xlWebAdmin.properties
and change the webadminhome.message.skipPendingApprovalsOpenTasksCounter to true, and the run the patch_websphere.sh script to build and deploy the new war.
From Design console go to System Configuration
search for "XL.WebAdminHome.CounterDisplay.Type"
change values from "DayLimit" to "CheckLink"
if this property is not available in design console then do following.
See Oracle Metalink Doc 741590.1 for all the details, In short do following:
Edit the WEB-INF/classes/xlWebAdmin.properties
and change the webadminhome.message.skipPendingApprovalsOpenTasksCounter to true, and the run the patch_websphere.sh script to build and deploy the new war.
AD Date Issue
When you are calling that attribute ADSI is grabbing the value of “accountExpires” and casting the number of 100-nanosecond intervals since Jan 1, 1601 to an understandable datetime.
So far when I look at the “accountExpires” date in Softerra (doing a literal lookup on the date value and converting), or looking in my C# code—I get back the 4/21/2009 4:00:00 AM CST or equivalent 4/20/2009 11:00:00 PM GMT dates.
The really odd thing is that basically ADSI’s internal conversion routine is not following whatever accepted conversions are for .NET or Java.
Here is my C# code:
protected void Page_Load(object sender, EventArgs e)
{
//assume 'user' is DirectoryEntry representing user to check
DateTime expires = DateTime.FromFileTime(GetInt64(@"cn=wertman\, pam,ou=users,ou=cnc,OU=AIT,DC=us,DC=aegon,DC=com", "accountExpires"));
Response.Write(expires);
}
private Int64 GetInt64(string userDN, string attr)
{
DirectoryEntry root = null;
using (root = new DirectoryEntry(
@"LDAP://crdcusdc01.us.aegon.com:389/" + userDN,
username,
password,
bindingAuth
))
{
DirectorySearcher ds = new DirectorySearcher(
root,
String.Format("({0}=*)", attr),
new string[] { attr },
SearchScope.Base
);
SearchResult sr = ds.FindOne();
if (sr != null)
{
if (sr.Properties.Contains(attr))
{
return (Int64)sr.Properties[attr][0];
}
}
return -1;
}
}
C# code is a curtosy of one of my colleagues - Mark Morrison.
So far when I look at the “accountExpires” date in Softerra (doing a literal lookup on the date value and converting), or looking in my C# code—I get back the 4/21/2009 4:00:00 AM CST or equivalent 4/20/2009 11:00:00 PM GMT dates.
The really odd thing is that basically ADSI’s internal conversion routine is not following whatever accepted conversions are for .NET or Java.
Here is my C# code:
protected void Page_Load(object sender, EventArgs e)
{
//assume 'user' is DirectoryEntry representing user to check
DateTime expires = DateTime.FromFileTime(GetInt64(@"cn=wertman\, pam,ou=users,ou=cnc,OU=AIT,DC=us,DC=aegon,DC=com", "accountExpires"));
Response.Write(expires);
}
private Int64 GetInt64(string userDN, string attr)
{
DirectoryEntry root = null;
using (root = new DirectoryEntry(
@"LDAP://crdcusdc01.us.aegon.com:389/" + userDN,
username,
password,
bindingAuth
))
{
DirectorySearcher ds = new DirectorySearcher(
root,
String.Format("({0}=*)", attr),
new string[] { attr },
SearchScope.Base
);
SearchResult sr = ds.FindOne();
if (sr != null)
{
if (sr.Properties.Contains(attr))
{
return (Int64)sr.Properties[attr][0];
}
}
return -1;
}
}
C# code is a curtosy of one of my colleagues - Mark Morrison.
WebSphere JMSManagedQueueSessionFactory in OIM
Actually, this is a known idiot light thrown by IBM:
http://download-west.oracle.com/docs/cd/B32479_01/doc.903/b32458/toc.htm#CHDEIIBG
"3.2.2 Benign Exception Warning Message Appears in WebSphere Log After Installing Release 9.0.3 and Starting the Application Server (Bug 5607996)
After installing Release 9.0.3 on WebSphere 5.1.1.12 and starting the application server, a benign exception warning message appears in the WebSphere log regarding the following:
J2CA0007W: An exception occurred while invoking method setsetMcfPassword on com.ibm.ejs.jms.JMSManagedQueueSessionFactory
This is a known WebSphere exception warning message and can safely be ignored. Refer to IBM's WebSphere Application Server support Web site for more information."
Here is the full mea culpa from IBM:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK32670
Best fix is to migrate all servers to WAS 6.1/OIM 9.1 combo.
http://download-west.oracle.com/docs/cd/B32479_01/doc.903/b32458/toc.htm#CHDEIIBG
"3.2.2 Benign Exception Warning Message Appears in WebSphere Log After Installing Release 9.0.3 and Starting the Application Server (Bug 5607996)
After installing Release 9.0.3 on WebSphere 5.1.1.12 and starting the application server, a benign exception warning message appears in the WebSphere log regarding the following:
J2CA0007W: An exception occurred while invoking method setsetMcfPassword on com.ibm.ejs.jms.JMSManagedQueueSessionFactory
This is a known WebSphere exception warning message and can safely be ignored. Refer to IBM's WebSphere Application Server support Web site for more information."
Here is the full mea culpa from IBM:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK32670
Best fix is to migrate all servers to WAS 6.1/OIM 9.1 combo.
Remedy
From the Remedy docs : “Because Java handles the deallocation of memory automatically (using garbage collection), another key difference between the C API and the AR System Java API is that when references to an object no longer exist, that object is assumed to no longer be needed, and then the memory occupied by that object is reclaimed. So, freeing allocated memory and shutdown/cleanup of the general structure of a C API program do not have a counterpart in an AR System Java API program. However, in an AR System Java API program, you must use the clear method to release context (user and server) information as well as other methods of the classes you use, and to use the releaseInstance method of the factory object to reclaim memory that has been allocated to a factory object. The underlying resources are not touched by garbage collection. They must be released.”
However, to the relevant point of connectionPooling—I do not see the CLEAR() method EVER called. In your helper methods of disconnect() I do you see you setting context to null; however, what you want is to instead set arServer.Clear() rather than arServer = null.
http://spider.kineticdata.com/arApi63/com/remedy/arsys/api/ARServerUser.html#clear()
However, to the relevant point of connectionPooling—I do not see the CLEAR() method EVER called. In your helper methods of disconnect() I do you see you setting context to null; however, what you want is to instead set arServer.Clear() rather than arServer = null.
http://spider.kineticdata.com/arApi63/com/remedy/arsys/api/ARServerUser.html#clear()
Creating Javadocs using ANT
Here is potentially a very easy way :
http://www.geocities.com/richard_hoefter/eclipse2ant/
http://www.geocities.com/richard_hoefter/eclipse2ant/
Monday, April 20, 2009
Active Directory , userAccountControl Values
When you are writing AD Connectors following values are help a lot, All these values are specific to attribute "userAccountControl"
512 - Enable User Account
514 - Disable User account
544 - Requires user to change password at first logon
66048 - password never expires when the user is enabled
66050 - password never expires when the user is disabled
8388608 - Password is expired
for all detailed values of refer
http://support.microsoft.com/kb/305144
for more information on userAccountControl refer
http://technet.microsoft.com/en-us/library/cc709691.aspx
Convert Date to AD Format(Long)
512 - Enable User Account
514 - Disable User account
544 - Requires user to change password at first logon
66048 - password never expires when the user is enabled
66050 - password never expires when the user is disabled
8388608 - Password is expired
for all detailed values of refer
http://support.microsoft.com/kb/305144
for more information on userAccountControl refer
http://technet.microsoft.com/en-us/library/cc709691.aspx
Convert Date to AD Format(Long)
Subscribe to:
Posts (Atom)