OIM R2 LDAPSync Concepts and Troubleshooting
(Doc ID 2286608.1)
Last updated on JULY 21, 2020
Applies to:Identity Manager - Version 126.96.36.199.0 to 188.8.131.52.170418 [Release 11g]
Information in this document applies to any platform.
Purpose of this note is to explain what LDAPSync is, scope of its functions, what is the structure of configuration and best approach to troubleshoot.
LDAPSync is the process of automatically maintaining OIM users and roles in a LDAP identity store such as OID, OUD, AD, ODSEE (iPlanet).
The updates do not require additional provisioning actions or access policies.
Creating and modifying users in OIM are automatically pushed to the LDAP using EventHandlers.
Getting updates from LDAP is accomplished via the LDAP User Create and Modify Recon job.
OIM uses libOVD or OVD server as the interface to the LDAP server.
- This allows OIM code to make the same calls when an update is made and allow OVD/libOVD to make the adjustments for each LDAP Server process.
In general, OIM will be the main administrator of users that will be maintained in LDAPSync.
New users are created in OIM and pushed to LDAP. Password changes are made in OIM and then also pushed to LDAP.
New user created in LDAP are pulled using the Recon jobs and are put into a default OIM Organization (Create Actions cause this) and with most LDAPs the initial password is passed.
Any changes in LDAP except for updated password are sent to OIM.
1.1.3 About LDAP Synchronization in Oracle Identity Manager
OIM needs to use a Proxy Admin user to update the LDAP. This is required since there is a filter on the incremental recon that ignores changes made by that proxy.
- If the default Admin user is used, then nothing is return by the incremental recon. Only Full recon will see users.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document