User Entry Changes in AD Of Types: Delete, Moddn (User Moves Location/Container in AD), Modrdn (Username Changes in AD), Are Not Getting Updated In OID Groups / Propagated To The Groups (Doc ID 397078.1)

Last updated on FEBRUARY 15, 2019

Applies to:

Goal

OID (Oracle Internet Directory) 10g 10.1.4.

Either via OID ldap tools (ldapdelete, ldapmoddn) or via DIP synchronization with 3rd party directory such as Active Directory (AD), if the user is a member of one or more groups, the groups are not being updated with the changes to the user DN (user moves container/location in AD) or username (username changes in AD). If there is a subsequent change to the group (i.e., another member added), then the group is synchronized properly.

Likewise, if a user is deleted in AD, the user is subsequently deleted in OID. However, the user is still a member of all groups. Again, when the group is updated and resynchronized, the membership is then updated correctly.  (Note: Unless the usnchanged is actually updated in the AD group itself when the deletion happens, then DIP cannot know about the change, thus nothing will happen with the synched group in OID.)

So there is a period of time where the group memberships are not correct, and currently having to manually update the group in AD to address this issue.

Is this the expected behavior?

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.