equalTo and memberOf filter does not work for groups in Active Directory (Doc ID 1938217.1)

Last updated on SEPTEMBER 19, 2016

Applies to:

Identity Manager Connector - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms

On OIM 11.1.1.5 BP10 and AD connector 11.1.1.6.0

Using the filter :
  equalTo( 'memberOf' , 'CN=ADG_IDM_LDAPFILTER,OU=IDM,DC=company,DC=com' )
to populate the groups in the lookup for AD and see that one of the group is not getting populated, even though it’s member of the ADG_IDM_LDAPFILTER group.

The group that is not getting populated is
  CN=ADG_IDM_Users,OU=IDM,DC=company,DC=com

If we provide the filter to
  equalTo( 'distinguishedName' , 'CN=ADG_IDM_Users,OU=IDM,DC=company,DC=com' )
then the group gets reconciled fine.

If a particular group is member of more than 2 groups in AD then the filter doesn't work

equalTo('memberOf','group's Distinguished name')

From the logs we clearly see that since the group ADG_IDM_USERS is memberOf two groups - ADG_IDM_LDAPFILTER and oimusers, that's the reason why it didn't get populated in the group lookup.

Log file extract :

2014-10-17 08:42:30 : Class-> CustomAttributeHandlers, Method -> GetCaFromDe_Att_Generic, Message -> Exiting the method. Returning attribute(Name = memberOf, value = [CN=ADG_IDM_Users,OU=IDM,DC=company,DC=com], [CN=oimusers,OU=IDM,DC=company,DC=com]).

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms