equalTo and memberOf filter does not work for groups in Active Directory
Last updated on SEPTEMBER 19, 2016
Applies to:Identity Manager Connector - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
On OIM 126.96.36.199 BP10 and AD connector 188.8.131.52.0
Using the filter :
equalTo( 'memberOf' , 'CN=ADG_IDM_LDAPFILTER,OU=IDM,DC=company,DC=com' )
to populate the groups in the lookup for AD and see that one of the group is not getting populated, even though it’s member of the ADG_IDM_LDAPFILTER group.
The group that is not getting populated is
If we provide the filter to
equalTo( 'distinguishedName' , 'CN=ADG_IDM_Users,OU=IDM,DC=company,DC=com' )
then the group gets reconciled fine.
If a particular group is member of more than 2 groups in AD then the filter doesn't work
equalTo('memberOf','group's Distinguished name')
From the logs we clearly see that since the group ADG_IDM_USERS is memberOf two groups - ADG_IDM_LDAPFILTER and oimusers, that's the reason why it didn't get populated in the group lookup.
Log file extract :
2014-10-17 08:42:30 : Class-> CustomAttributeHandlers, Method -> GetCaFromDe_Att_Generic, Message -> Exiting the method. Returning attribute(Name = memberOf, value = [CN=ADG_IDM_Users,OU=IDM,DC=company,DC=com], [CN=oimusers,OU=IDM,DC=company,DC=com]).
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms