Oim 11g Ldap Sync Of Group Changes Done In Ldap

(Doc ID 1437922.1)

Last updated on SEPTEMBER 26, 2016

Applies to:

Identity Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.
**Checked for Relevance on 02-Dec-2013**

Symptoms


Problem
=======
OIM with LDAP Sync:

1) Suppose there is a role in OIM (with corresponding OID group created through LDAP Sync),
2) The 2 users: user1 and user2 are added to the role in OIM, and synced to be members of the group in OID.
3) A new user (user3) is added to the same group in LDAP. This generates an OID changelog record to replace the existing uniquemember attribute of the group with user1, user2 and user 3.
4) The LDAP sync scheduled job for LDAP Role Membership update runs in OIM. From this one changelog entry, 5 reconciliation events are raised:
i) Delete of the role membership for user1
ii) Delete of the role membership for user2
iii) "Single Role Grant Match Found" for user1
iv) "Single Role Grant Match Found" for user2
v) Create of the role membership for user3.

The result of the above in OIM is that the user added to the group in LDAP (user3) is shown as a member of the OIM role, but the other two users (user1 and user2) have lost their role in OIM. This is not correct as user1 and user2 should still be members of the role. Also OIM and OID are now out of sync as in OID all three users are shown as members of the group, buit in OIM only user 3 is.

Workarounds: It is possible to correct the issue by going to the two "Single Role Grant Match Found" events, and then re-evaluating them, which then re-evaluates them as creates and restores the OIM role memberships, but this should not be required. These users have not had their membership changed, and shoud not lose it in the first place. If for example you had a group/role with many members, and one change is then made in LDAP it would be very troublesome to have to find all the related events and manually re-evaluate them.


But, users could lose their privileges in OIM if a change is made in LDAP group membership and it would be a lot of work to restore it.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms