Integrating Oracle Identity Manager with Microsoft Active Directory: Performing Reconciliation and Trusted Reconciliation

Purpose

This OBE tutorial describes and shows you how to perform reconciliation and trusted reconciliation with the Active Directory Adapter.

Time to Complete

Approximately 1½ hour

Topics

This OBE tutorial covers the following topics:

 Overview
 Scenario
 Configuring Resource Objects and the Reconciliation Rule
 Configuring Scheduled Tasks
 Monitoring Reconciliation
 Testing Reconciliation
 Backing Up the Oracle Identity Manager Server Database
 Changing to Untrusted Reconciliation
 Backing Up the Oracle Identity Manager Server Database
 Summary
 Related Information

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: Because this action loads all screenshots simultaneously, response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Identity Manager.

Overview

All components that are used by Oracle Identity Manager to communicate with a particular resource, for the purposes of performing either provisioning or reconciliation with that resource, are placed into a container. This container is known as an Oracle Identity Manager Connector. Provisioning or reconciliation occurs as a result of the components of this connector working with one another. The Active Directory connector can be used in the following ways:

Back to Topic List

Scenario

Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, Linda is responsible for managing the access privileges for various user groups to various resources within the organization. In addition to performing provisioning, she needs to do reconciliation and trusted reconciliation tasks. One of her tasks is to perform reconciliation and trusted reconciliation for users, organizations, groups, and group memberships to an Active Directory instance that needs to be connected to the Oracle Identity Manager Server.

Back to Topic List

Configuring Resource Objects and the Reconciliation Rule

You need to define reconciliation fields to determine the reconciliation data that needs to be taken from Active Directory and how that information is used in Oracle Identity Manager. You need to define basic fields that are used to map the Oracle Identity Manager User Resource object to the Active Directory data and also the rule used to associate an Active Directory user record with an Oracle Identity Manager user record. To define the basic fields, perform the following steps:

1.

Navigate to E:\oracle\oim_designConsole\xlclient and double-click the xlclient.cmd file. This launches the Oracle Identity Manager Design Console.

Note : Ensure that the Oracle database and the JBoss application server are already running.

 

2.

Log in with the user ID xelsysadm and password abcd1234.

 

3.

You will change the values for the AD Server IT Resource. For performing this task, in the left pane, click Resource Management and then double-click IT Resources.

 

4.

Click the search icon to retrieve the record for the AD Server IT Resource. For this AD Server IT Resource, modify the Root Context value to CN=Users,dc=mydomain,dc=com and then click the Save icon.

Note : The remaining parameter values for the AD Server IT Resource should not be modified.

 

5.

After you have updated the Root Context, in the left pane, double-click Resource Objects.

 

6.

Click the search icon and then click the next arrow icon to load the Xellerate User resource object and then click the Object Reconciliation tab.

 

7.

Under the Reconciliation Fields section, click Add Field.

 

8.

In the Add Reconciliation Field Window, enter the field names and field types using the following table:

Field Name Field Type
sAMAccountName String
sn String
givenName String
Xellerate Type String
Role String
Organization Name String

Note : Save each field while you are creating the individual fields. Click the X icon in the Reconciliation Data Field window to view all the added fields.

 

9.

Notice all the fields being added to the Xellerate user. Next, click Reconciliation Action Rules.

 

10.

To create the rule condition and its relevant action, click Add.

 

11.

Create two rules with the following conditions:

Rule Condition Rule Action
No Matches Found Create User
One Entity Match Found Establish Link

Note : Click the Save icon to store each rule while you are creating the individual rules.

 

12.

Click the Resource Object tab and then click the next record icon to retrieve the AD user resource object.

 

13.

Click the Object Reconciliation tab and then click the Reconciliation Fields tab to view the list of attributes that will be reconciled from the AD User.

 

14.

Click the Reconciliation Action Rules tab .

 

15.

Remove the two default rules listed in the Reconciliation Action Rules section. Click Delete twice to remove both the entries and then add the following reconciliation rules:

Rule Condition Rule Action
One Process Match Found Establish Link
One Entity Match Found Establish Link

 

16.

Click the Save icon to store the AD user resource object.

 

17.

In the left pane, click Process Management and then double-click Process Definition.

 

18.

Click the search icon and then the next arrow icon to load the Xellerate User process definition and then click the Reconciliation Field Mappings tab.

 

19.

Click Add Field Map to link the field names to the user attributes.

 

20.

Create the Reconciliation Field Mappings according to the following table:

Field Name User Attribute
sAMAccountName User Login
sn Last Name
givenName First Name
Xellerate Type Xellerate Type
Role Role
Organization Name Organization Name

Note : Click the Save icon to store each of these field names.

 

21.

Click the Save icon to store the Xellerate User process definition.

 

22.

Next, you will create the rule for the Oracle Identity Manager user reconciliation with Active Directory. In the left pane, click Development Tools and then double-click Reconciliation Rules to open a new Reconciliation Rule Builder form.

 

23.

Enter OIM User Recon in the Name field and OIM/XL User Reconciliation in the Description field.

 

24.

Double-click in the Object field to look up and then select Xellerate User.

 

25.

Click the Save icon to store the rule so that a new Rule Definition Rule: OIM User Recon is created.

 

26.

Click Add Rule Element, and then create a new rule with the User Profile Data as User Login, Operator as Equals, and Attribute as sAMAccount.

 

27.

Click the Save icon to store the reconciliation rule and then select the Active option. The Active option enables the newly created rule.

 

28.

Click the Save icon to store the reconciliation rule.

 

 

Back to Topic List

Configuring Scheduled Tasks

After you have configured the resource objects, process definitions, and reconciliation rules used during reconciliation, you will configure the task scheduler to define when to perform the reconciliation and on which IT resources this reconciliation will be implemented. To configure the task scheduler, perform the following steps:

1.

In the left pane, click Xellerate Administration and then double-click Task Scheduler to open a blank Task Definition form.

 

2.

The task for the Active Directory Task Definition needs to be set for this configuration. Click the Search icon to load the ActiveDirectoryReconTask scheduled task and change the following values:

Attribute Name Attribute Value
Server AD Server
Use Field Mapping false

Note: Click the Save icon to store the values.

 

3.

In the Interval section, select Once.

 

4.

Use the Delete key to clear the value of the "Start time" field.

Note : If the existing date is not removed then the field would still retain the old date even if you choose a new date.

 

5.

Double-click in the Start time field to open the Date & Time scheduler window.

 

6.

Click OK to select the current date and time to start the task.

 

7.

Select the Disabled option to enable the task definition.

 

8.

Click the Save icon to store the task definition.

 

Back to Topic List

Monitoring Reconciliation

After activating the reconciliation for a one-time event, you can monitor the reconciliation process. To monitor this task, perform the following steps:

1.

In the left pane, click User Management and then click Reconciliation Manager.

 

2.

Click the Search icon to open the Reconciliation Manager Table tab.

 

3.

The lists of your reconciliation events will differ from what is displayed in the screen. You can refresh the list by clicking the Refresh (circling arrows) icon.

 

Note : This task may take several minutes to complete.

 

Back to Topic List

Testing Reconciliation

To search for the users created in the reconciliation process, perform the following steps:

1.

Open a browser window and enter the URL to access the Oracle Identity Manager Admin Console in the following format:

http://<hostname>.<domainname>:<port>/xlWebApp

Note : Ensure that the Oracle database and the JBoss application server are already running.

 

2.

Log in with the user ID xelsysadm and password abcd1234.

 

3.

In the Oracle Identity Manager Administrative Console, click Users and then click Manage.

 

4.

Click Search User. You can view the new records that have been created in Oracle Identity Manager using trusted reconciliation with Active Directory.

Back to Topic List

Backing Up the Oracle Identity Manager Server Database

After configuring the resource parameters, you need to back up the Oracle Identity Manger Server database. To run this backup, perform the following steps:

1.

At the command prompt, enter the following command:

exp system/abcd1234 file=E:\OimDB_backups\Lab09_3_AD_TrustedRecon_Completed.dmp owner=oimuser

Press the Enter key to confirm the database backup.

Note : You can view the database export progress. This backup may take a few minutes to run. Note the completion of the database export.

 

Back to Topic List

Changing to Untrusted Reconciliation

You have now completed configuring the system for trusted reconciliation, which has linked copies of the records from Active Directory into Oracle Identity Manager. This process does not assign an IT Resource to the user related to the system from which the users were reconciled. You can switch from trusted reconciliation to reconciliation (also called untrusted reconciliation) and perform a reconciliation event again for Active Directory to assign all of the users the AD Server IT resource.

To alter the reconciliation configuration for performing untrusted reconciliation and initiate a reconciliation in order to assign an AD Server IT resource to each reconciled user record, perform the following tasks:

1.

In the Oracle Identity Manager Design Console window, navigate to Resource Management and then double-click IT Resources.

 

2.

Click the Search icon to load the AD Server resource and change the following parameters:

Name Value
Last Modified Time Stamp 0
Last Modified Time Stamp Group 0
Root Context dc=mydomain,dc=com

 

3.

Click the Save icon to store the attribute values.

 

4.

Navigate to Xellerate Administration and then double-click Task Scheduler.

 

5.

Click the Search icon to load the ActiveDirectoryReconTask task definition and perform the following changes:

Attribute Name Attribute Value
XellerateObject false
UseFieldMapping false

Note: By default, the UseFieldMapping Attribute Name might be set to false.

 

6.

Click the Save icon to store the changes.

 

7.

Use the Delete key to clear the value of the "Start time" field.

 

8.

Double-click in the "Start time" field to open the Date & Time scheduler window and then click OK to select the current date and time.

Note : You can then again monitor the reconciliation (this may take several minutes).

Back to Topic List

Backing Up the Oracle Identity Manager Server Database

After configuring the resource parameters, you need to back up the Oracle Identity Manger Server database. To run this backup, perform the following steps:

1.

At the command prompt, enter the following command:

exp system/abcd1234 file=E:\OimDB_backups\Lab09_4_AD_Resource_Recon_Completed.dmp owner=oimuser

Press the Enter key to confirm the database backup.

Note : You can view the database export progress. This backup may take a few minutes to run. Note the completion of the database export.

 

 

Back to Topic List

 

Summary

In this lesson, you learned how to:

Back to Topic List

 Configure resource objects and the reconciliation rule
 Configuring scheduled tasks
 Monitor reconciliation
 Test reconciliation
 Back up the Oracle Identity Manager Server database
 Change to untrusted reconciliation
 Back up the Oracle Identity Manager Server database

Related Information

 To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum.

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

 

 

Left Curve
Popular Downloads
Right Curve
Untitled Document