SQL Query to get Process Instance Key of particular Resource for user in OIM

 Query to get Process Instance Key:

SELECT ORC_KEY FROM ORC,PKG,USR WHERE ORC.PKG_KEY=PKG.PKG_KEY AND ORC.USR_KEY=USR.USR_KEY AND PKG_NAME=’[Insert Resource Name here]’ AND USR_LOGIN=’[Insert User Login here]’; Example: To get Process Instance Key of AD User resource for TESTUSER user: SELECT ORC_KEY FROM ORC,PKG,USR WHERE ORC.PKG_KEY=PKG.PKG_KEY AND ORC.USR_KEY=USR.USR_KEY AND PKG_NAME='AD User' AND USR_LOGIN=’TESTUSER’;

SQL query to get all the accounts of user in OIM

Query to get active/enabled accounts:

SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='[Insert User Login here]' AND OST.OST_STATUS IN ('Enabled','Provisioned'); Example: To get all the active/enabled accounts of user TESTUSER SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='TESTUSER' AND OST.OST_STATUS IN ('Enabled','Provisioned');

Query to get disabled accounts:

SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='[Insert User Login here]' AND OST.OST_STATUS IN ('Disabled'); Example: To get all the active/enabled accounts of user TESTUSER SELECT OBJ.OBJ_NAME FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='TESTUSER' AND OST.OST_STATUS IN ('Disabled');

Query to get revoked accounts:

SELECT OBJ.OBJ_NAME  FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='[Insert User Login here]' AND OST.OST_STATUS IN ('Revoked'); Example: To get all the revoked accounts of user TESTUSER SELECT OBJ.OBJ_NAME  FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND USR.USR_LOGIN='TESTUSER' AND OST.OST_STATUS IN ('Revoked');

SQL query to get all the users having account on particular resource in OIM

Query to get users list having active/enabled account:

SELECT USR.USR_LOGIN FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND OBJ.OBJ_NAME=' [Insert Resource Name here]' AND OST.OST_STATUS IN ('Enabled','Provisioned'); Example: To get the users having active/enabled account on AD User resource: SELECT USR.USR_LOGIN FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND OBJ.OBJ_NAME='AD User' AND OST.OST_STATUS IN ('Enabled','Provisioned');

Query to get users list having disabled account:

SELECT USR.USR_LOGIN FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND OBJ.OBJ_NAME=' [Insert Resource Name here]' AND OST.OST_STATUS IN ('Disabled'); Example: To get the users having disabled account on AD User resource: SELECT USR.USR_LOGIN FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND OBJ.OBJ_NAME='AD User' AND OST.OST_STATUS IN ('Disabled');

Query to get users list having revoked account:

SELECT USR.USR_LOGIN FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND OBJ.OBJ_NAME=' [Insert Resource Name here]' AND OST.OST_STATUS IN ('Revoked'); Example: To get the users having revoked account on AD User resource: SELECT USR.USR_LOGIN FROM OBJ,OBI,OIU,OST,USR WHERE OBJ.OBJ_KEY=OBI.OBJ_KEY AND OBI.OBI_KEY=OIU.OBI_KEY AND OIU.USR_KEY=USR.USR_KEY AND OIU.OST_KEY=OST.OST_KEY AND OST.OBJ_KEY=OBJ.OBJ_KEY AND OBJ.OBJ_NAME='AD User' AND OST.OST_STATUS IN ('Revoked');

SQL query to get all the Completed/Rejected tasks of particular resource for user in OIM

SQL Query to get Completed tasks of particular resource for User:

SELECT MIL_NAME as TASKS FROM USR, ORC, MIL, PKG, TOS, SCH, OSI  WHERE OSI.MIL_KEY=MIL.MIL_KEY AND OSI.ORC_KEY=ORC.ORC_KEY AND ORC.USR_KEY=USR.USR_KEY AND OSI.TOS_KEY=TOS.TOS_KEY AND OSI.PKG_KEY=PKG.PKG_KEY AND OSI.SCH_KEY=SCH.SCH_KEY AND PKG.PKG_NAME='[Insert Resource Name here]' AND SCH.SCH_STATUS ='C' AND USR.USR_LOGIN='[Insert User Login here]' ORDER BY OSI.OSI_UPDATE; Example: To get Completed tasks of AD User resource for TESTUSER user: SELECT MIL_NAME as TASKS  FROM USR, ORC, MIL, PKG, TOS, SCH, OSI  WHERE OSI.MIL_KEY=MIL.MIL_KEY AND OSI.ORC_KEY=ORC.ORC_KEY AND ORC.USR_KEY=USR.USR_KEY AND OSI.TOS_KEY=TOS.TOS_KEY AND OSI.PKG_KEY=PKG.PKG_KEY AND OSI.SCH_KEY=SCH.SCH_KEY AND PKG.PKG_NAME='AD User' AND SCH.SCH_STATUS ='C' AND USR.USR_LOGIN='TESTUSER' ORDER BY OSI.OSI_UPDATE;

SQL Query to get Rejected tasks of particular resource for User:

SELECT MIL_NAME as TASKS FROM USR, ORC,MIL, PKG, TOS, SCH, OSI WHERE OSI.MIL_KEY=MIL.MIL_KEY AND OSI.ORC_KEY=ORC.ORC_KEY AND ORC.USR_KEY=USR.USR_KEY AND OSI.TOS_KEY=TOS.TOS_KEY AND OSI.PKG_KEY=PKG.PKG_KEY AND OSI.SCH_KEY=SCH.SCH_KEY AND PKG.PKG_NAME='[Insert Resource Name here]' AND SCH.SCH_STATUS ='R' AND USR.USR_LOGIN='[Insert User Login here]' ORDER BY OSI.OSI_UPDATE; Example: To get Rejected tasks of AD User resource for TESTUSER user: SELECT MIL_NAME as TASKS FROM USR, ORC,MIL, PKG, TOS, SCH, OSI WHERE OSI.MIL_KEY=MIL.MIL_KEY AND OSI.ORC_KEY=ORC.ORC_KEY AND ORC.USR_KEY=USR.USR_KEY AND OSI.TOS_KEY=TOS.TOS_KEY AND OSI.PKG_KEY=PKG.PKG_KEY AND OSI.SCH_KEY=SCH.SCH_KEY AND PKG.PKG_NAME='AD User' AND SCH.SCH_STATUS ='R' AND USR.USR_LOGIN='TESTUSER' ORDER BY OSI.OSI_UPDATE;

oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user java.lang.IllegalArgumentException: Password configuration property is empty.

Getting this Exception while trying to provision/Create an user on the target in OIM.

<ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER> <BEA-000000> <oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user

java.lang.IllegalArgumentException: Password configuration property is empty.

Main Cause:

If password to establish a connection to the target, blank/missed in the IT Resource.
Before performing any CRUD operations on target, OIM uses connection details from IT Resource to establish a connection. But before connection firstly check whether all the required details are present or not. If missed to provide password above exception will occur.

Solution:

Provide target service account password which is required to establish connection.

                                                           Hope this will help!!!

oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user java.lang.IndexOutOfBoundsException: Invalid attribute name (PASSWORD)

Getting this Exception while trying to provision/Create user on the target using Database Application Table (DBAT) Connector in OIM.

<Error> <ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER> <BEA-000000> <oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user

java.lang.IndexOutOfBoundsException: Invalid attribute name (PASSWORD)

Check oim_server1-digaonistic.log, under oim_server1/logs to find the cause of create operation failure using DBAT connector.

Main Cause:

If password flowing from OIM to DB Application Table target while provisioning/creating user and value of passwordColumn attribute provided in IT Resource(that value would be the name of DB application table column which is holding password).
Suppose column namely PASSWORD for holding password in DB Application Table, then passwordColumn  attribute value would been PASSWORD in IT Resource as in given below screenshot.

Solution:

There are some special attributes in OIM ICF based connector's Provisioning and Reconciliation Lookup, which are prefixed and suffixed by __ [underscore] like __NAME__, __UID__, __PASSWORD__ and ICF framework understand them by these name only. These all are attributes hold sensible information.

Similarly in DBAT connector, if password flowing from OIM to DB Application table and target password column name provided in IT Resource. Then please make sure in Provisioning and Reconciliation lookup, decode value for password field should be  __PASSWORD__ instead of only PASSWORD. Please see below screenshot for more details.

                                                Hope this will help !!! 

oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[ org.identityconnectors.framework.common.exceptions.UnknownUidException: Object with Uid 'Attribute: {Name=__UID__, Value=[2D8273319FE5CAE2E050EA9D62281277]}' and ObjectClass 'ObjectClass: __ACCOUNT__' does not exist!

Issue: 

Update, enable and disable operation on OID target fails for some users with below exception:

[2016-03-17T03:57:29.068-07:00] [oim_server1] [ERROR] [] [ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 77bddbf65a4931ae:64858e41:1537b129d1d:-8000-000000000002311f,0] [APP: oim#11.1.2.0.0] [DSID: 0000LE46_tz7u1^Y1T2FVV1Mu3Ne000034] oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[

org.identityconnectors.framework.common.exceptions.UnknownUidException: Object with Uid 'Attribute: {Name=__UID__, Value=[2D8273319FE5CAE2E050EA9D62281277]}' and ObjectClass 'ObjectClass: __ACCOUNT__' does not exist!

        at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$8.createException(CommonObjectHandlers.java:218)

        at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$8.createException(CommonObjectHandlers.java:215)

        at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$ThrowableHandler.deserialize(CommonObjectHandlers.java:115)

        at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder$InternalDecoder.readObject(BinaryObjectDecoder.java:162)

        at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObject(BinaryObjectDecoder.java:313)

        at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObjectField(BinaryObjectDecoder.java:417)

        at org.identityconnectors.framework.impl.serializer.MessageHandlers$5.deserialize(MessageHandlers.java:155)

        at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder$InternalDecoder.readObject(BinaryObjectDecoder.java:162)

        at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObject(BinaryObjectDecoder.java:313)

        at org.identityconnectors.framework.impl.api.remote.RemoteFrameworkConnection.readObject(RemoteFrameworkConnection.java:153)

        at org.identityconnectors.framework.impl.api.remote.RemoteOperationInvocationHandler.invoke(RemoteOperationInvocationHandler.java:101)

        at com.sun.proxy.$Proxy636.update(Unknown Source)

Debugging:

Check oim_server1-digaonistic.log, under oim_server1/logs to find the cause of update/disable/enable operation failure.

Cause:

If you added new objectclass along with attribute in OID and added that attribute in Provisioning lookup.

Solution:

As such there is no solution to make newly created objectclass applicable for all the existing OID users.

Please make sure all the custom objectclasses are created in OID before provisioning the users on target.

Note: If you created any custom Objectclass and using the same while provisioning, updating, disabling and enabling the user, please make sure that entry of the same added in Configuration Lookup against ObjectClass Code.

Connector pick terminate or disable value in status column at the time of create user and enable user in Database Application Table or DBAT connector.

Background:

In an enterprise setup, many applications in the organization may use relational database tables as a repository for user data. Oracle has provided OOTB connector to perform CRUD operations on the DB tables called Database Application Table or DBAT Connector.

Problem : 

Connector pick terminate or disable value in status column at the time of create user and enable user operation in DBAT connector.

Example: If you provided E as enable value, D as disable value and STATUS as status column for target in the IT Resource configuration, now while creating or enabling user connector should pick E for column STATUS but connector picking disable value D instead.

Solution:

Remove the status column mapping from provisioning lookup if any, as IT Resource already has enabled, disabled and status column values. 

If provided status mapping like User Status | __Enable__  in Provisioning lookup, then it will cause ambiguity to connector as get status column values from IT resource as well as Process form and due to which connector pick Disabled value for status column.

Role Membership Rules using OIM apis

Roles is one of the important concept in OIM. Roles are used to create and manage the records of a collection of users to whom want to permit access to common functionality, such as access rights, roles, or permissions.

Role Membership rules determine which users can be assigned or removed as direct membership to or from the role. OIM provides functionality to create role membership rule through UI using Identity Self Service console. But one of the weakness while creating rule through self service console is that, only five operators are available for conditions in role membership rule =, !=, Starts with, Ends with, Contains and IN.

But what if requirement is to use other than these five operators like DOES_NOT_CONTAIN, DOES_NOT_BEGIN_WITH, DOES_NOT_ENDS_WITH, NOT_IN, LESS_THAN, GREATER_THAN, GREATER_EQUAL, LESS_EQUAL etc.

Yes its possible in OIM through SearchRule api. Following code is the example of the same.

public class CreateMembershipRule {
    private RoleManager roleManager = null;
 
    public static void main(String[] arg) throws Exception {
        CreateMembershipRule objCreateMembershipRule = new CreateMembershipRule();
        oimClient = objCreateMembershipRule.connectToOim();
        roleManager = oimClient.getService(RoleManager.class);
objCreateMembershipRule.createRoleMemRule();
    }

    public void createRoleMemRule(){
        SearchRule userMembershipRule1 = new SearchRule("Telephone Number", "127",       SearchRule.Operator.DOES_NOT_CONTAIN);
        SearchRule userMembershipRule2 = new SearchRule("Telephone Number","", SearchRule.Operator.NOT_EQUAL);
        SearchRule combinedRule = new SearchRule(userMembershipRule1, userMembershipRule2, SearchRule.Operator.AND);
SearchRule userMembershipRule3 = new SearchRule("Last Name","BOR", SearchRule.Operator.DOES_NOT_CONTAIN);
SearchRule mainRule = new SearchRule(combinedRule, userMembershipRule3, SearchRule.Operator.AND);

        roleManager.createRoleMembershipRule(mainRule,"ROLE_NAME"); 
    }

    private OIMClient connectToOim() {
   String oimUserName = "xelsysadm";
   String oimPassword = "**********";
   String oimURL = "t3://<HostName>:14000";
   String oimInitialContextFactory = "weblogic.jndi.WLInitialContextFactory";
   String wlsAuthConfig = "authwl.conf";
   String oimAppSrvType = "wls";
            java.util.Hashtable<String, String> env = new java.util.Hashtable<String, String>();
            env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_FACTORY_INITIAL,         oimInitialContextFactory);
            env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_PROVIDER_URL, oimURL);
            System.setProperty("java.security.auth.login.config",wlsAuthConfig);
    System.setProperty("OIM.AppServerType", oimAppSrvType);
    System.setProperty("APPSERVER_TYPE", oimAppSrvType);
    OIMClient oimclient = new oracle.iam.platform.OIMClient(env);
   try {
   oimclient.login(oimUserName, oimPassword.toCharArray());
   System.out.println("Successfully connected to OIM");
   } catch (LoginException e) {
            System.out.println("Exception in OIMClient.connectToOim()" + e.getMessage());                               e.printStackTrace();
   }
return oimclient;
    }
}

Role membership rule will look like this

orclIsEnabled attribute value remained blank when new account provisioned or enabled existing account on OID through OIM.

OID (Oracle Internet Directory) is an LDAP directory that uses an Oracle Database for storage. The information in the directory is available to different clients, such as single sign-on solutions, email clients, and database applications.
OID has provided multiple out the box attributes cn, givenname, manager, orclIsEnabled etc. orclIsEnabled is the attribute for status of the user in OID. which shows whether user is enabled or disabaled in OID.

OIM provided out of the box connector to perform CRUD operations on OID. When account provisioned on OID through OIM, OID connector manages to pick required attributes values from OIM to OID which include orclIsEnabled attribute too, which is nothing but the status.

But one of the confusion with orclIsEnabled attribute is that, when new account provisioned or enabled existing account on OID, value of orclIsEnabled should be enabled but connector kept it blank and when account get disabaled connector put disabled in orclIsEnabled attribute. It means blank value of orclIsEnabled shows OID account is in enabled state.


When OID account is Enabled:

When OID account is Disabled:

:

Oracle Internet Directory(OID) - Oracle Identity Manager(OIM) Password sync

OID provided plugins feature by exposing different apis(ospf.jar), which will get triggered on different ldap operations like add,modify,delete etc. at different time like pre or post operation. By using the same we can get the updated password in oid and using OIM apis (UserManager) set the same in OIM in order to make it in sync.

Steps to develop java plugin to sync password in OID and OIM.

1. Develop java code which will take password when any one update the in OID and set that password in oim for appropriate user using OIM apis (UserManager). Compile the code and create the jar of the same. 

While compiling the code make sure that ospf.jar, oimclient.jar and other OIM's jars(as per requirement) should present in CLASSPATH. You will get this jars from OID and OIM machines.

Note : Please make sure that method name should be the same post_modify() as we are going to trigger our plugin post userPassword modified in ldap.

Example:

import javax.naming.directory.BasicAttribute;

import javax.naming.directory.ModificationItem;

import javax.security.auth.login.LoginException;

import oracle.iam.identity.usermgmt.api.UserManager;

import oracle.iam.identity.usermgmt.api.UserManagerConstants;

import oracle.iam.platform.OIMClient;

import oracle.ldap.ospf.LdapBaseEntry;

import oracle.ldap.ospf.LdapModification;

import oracle.ldap.ospf.ModifyLdapOperation;

import oracle.ldap.ospf.PluginDetail;

import oracle.ldap.ospf.PluginFlexfield;

import oracle.ldap.ospf.PluginResult;

import oracle.ldap.ospf.ServerLog;

import oracle.ldap.ospf.ServerPluginAdapter;

public class PasswordSyncPlugin extends ServerPluginAdapter{

    private static final String className = PasswordSyncPlugin.class.getName();

    private static final String USERPASSOWRD = "userpassword";

public OIMClient oimClient;

    public PluginResult post_modify_modify(PluginDetail pluginDetails) throws Exception{

    final String methodName = "#post_modify()"; 

PluginResult pluginResult=new PluginResult();

try{

      ServerLog.log(className + methodName +"Entering into the Password sync plugin");   

PluginFlexfield plgFlexfield = pluginDetails.getPluginFlexfield();

ServerLog.log(className + methodName +"List of flex fields:"+
            plgFlexfield.getFlexfieldNames());                    

String oidUniqueAttr = plgFlexfield.getFlexfield("OIDUniqueAttr");

ServerLog.log(className + methodName +"OID Unique attribue "+ oidUniqueAttr);

LdapBaseEntry ldapBaseEntry = pluginDetails.getLdapBaseEntry();

String uidToBeModify = ldapBaseEntry.getAttribute(oidUniqueAttr).toString(); 

ServerLog.log(className + methodName +"Mofify Operation performed on user :["

                +uidToBeModify.toString()+"]");

String finalUidToModify = null;

if(uidToBeModify != null && !uidToBeModify.equals("")){

String uid [] = uidToBeModify.split(":");

if(uid.lenghth >= 2)

finalUidToModify = uid[1].trim();

}

ModifyLdapOperation opObj = (ModifyLdapOperation)pluginDetails.getLdapOperation();

LdapModification modObj = opObj.getLdapModification();

String newPassword = null;

if (modObj!=null){

        ModificationItem modItem = modObj.getModificationItemAt(0);

         BasicAttribute basicAttr = (BasicAttribute)modItem.getAttribute();

         if ((basicAttr.getID()).equals(USERPASSOWRD)){

             newPassword = (String)basicAttr.get(0);

        if(newPassword != null) 

        ServerLog.log(className + methodName +"Got newly updated password!!");    

         }

      }

 
  //Updating password in OIM
      oimClient = this.connectToOim(plgFlexfield);

if(oimClient != null && finalUidToModify != null){

          UserManager userManager = oimClient.getService(UserManager.class);

          ServerLog.log(className + methodName +"User Manager:"+ userManager);

       userManager.changePassword(UserManagerConstants.AttributeName.USER_LOGIN.getId(),

    finalUidToModify, newPassword.toCharArray(), false);

       ServerLog.log(className + methodName +"Password Updated Successfully in oim for user:"                 + "[" + uidToBeModify + "]");

       if(oimClient !=null){

          oimClient.logout();

    }

}

     }catch(Exception e){

         ServerLog.log(className + methodName +"Exception occured while connecting to the       OIM."+ e.getMessage());

e.printStackTrace();

}

       return pluginResult;
    }

    

    private OIMClient connectToOim(PluginFlexfield plgFlexfield) {

    final String methodName = "#connectToOim()";

    String oimAdminUser = plgFlexfield.getSecuredFlexfield("OIMAdminUser");

String password = plgFlexfield.getSecuredFlexfield("Password");

String oimT3URL = plgFlexfield.getSecuredFlexfield("OIMT3URL");

String authwlConfPath = plgFlexfield.getFlexfield("Authwl_Conf_Path");

String oimInitialContextFactory = "weblogic.jndi.WLInitialContextFactory"; 

String oimAppSrvType = "wls";

ServerLog.log(className + methodName +"OIM Adamin User: "+ oimAdminUser);

ServerLog.log(className + methodName +"OIM t3 URL:"+ oimT3URL);

ServerLog.log(className + methodName +"OIM authwl Conf Path:"+ authwlConfPath);

// set up the environment for making the OIM API invocation

java.util.Hashtable<String, String> env = new java.util.Hashtable<String, String>();

env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_FACTORY_INITIAL,oimInitialContex         tFactory);

env.put(oracle.iam.platform.OIMClient.JAVA_NAMING_PROVIDER_URL, oimT3URL);

System.setProperty("java.security.auth.login.config",authwlConfPath);

System.setProperty("OIM.AppServerType", oimAppSrvType);

System.setProperty("APPSERVER_TYPE", oimAppSrvType);

OIMClient oimclient = new oracle.iam.platform.OIMClient(env);

try {

      oimclient.login(oimAdminUser, password.toCharArray());

ServerLog.log(className + methodName +"Connected to OIM successfully!!!");

} catch (LoginException e) {

ServerLog.log(className + methodName +"Exception occured while connecting to the       OIM."+e.getMessage());

e.printStackTrace();

oimclient = null;

}

return oimclient;

}

}

2. After created the jar please make sure jar file has only two entries - class file of above code and META-INF folder which contains MANIFEST.MF file.

Please add the class name entry (fully qualified along with package name if present) in MANIFEST.MF file like given below.

3. Stop the OID instance and add the above jar at following path of the OID machine.

$ORACLE_HOME/ldap/server/plugin

4. As OID doesn't have OIM's jars in CLASSPATH to add the same copy required jars at any path and use same while adding following entry in opmn.xml file, which is present at

 <OIDInstance Location>/config/OPMN/opmn/opmn.xml

5. Go to Oracle Directory Service Manager (odsm) console and login with admin user and do the following configuration.

http://<host>:<port>/odsm

a.Click on “Create A New Connection”.

      b. Enter the details and click on connect

     c. Once login click on Advanced

    d.Click on new(highlighted in yellow)

      e.Fill up Mandatory and Optional property following details and click on OK

Note :

Ø  Plug-in Package Name - should be the same as jar name

Ø  Plug-in Ldap Operation - should be the ldapmodify as we want to trigger it on modify   Operation

Ø  Plug-in Timing – Should be post as we want post modify.

     f. Set Flex attribute which is retrieved in plugin code(its optional - if want to pass parameter to the plugin). To set this open the same plugin as above and select Optional properties.

6.  Now start the OID instance by running opmnl script which is present at

<OIDInstance Location>/bin

7. Try to modify the userPassword in oid and check it would reflect in OIM

***********************************************************************

If you want to print log statements in above code then needs to enable the logs in OID

Enabling the OID logs:

1.Create file with ldif extension with following entries.

example:

ServerLogOn.ldif

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orcldebugop

orcldebugop: 16

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orcldebugflag

orcldebugflag: 268435456

Note: In first line there cn=oid1 because my oid instance name is that. It could be different in your case.

Also you can give different values for orcldebugop and orcldebugflag as per requirement

Please refer following links for the same:

• orcldebugflag
• orcldebugop

2. Goto follwing path $ORACLE_HOME/bin and execute following command

ldapmodify -h <host> -p <port> -D "cn=orcladmin" -w <password> -f ServerLogOn.ldif

3.Verify log enabled or not using following command

ldapsearch -h <OIDHOST> -p <PORT> -D cn=orcladmin -w <PWD> -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" -s base objectclass=* orcldebugflag orcldebugop

Disabling the OID logs:

1.Create file with ldif extension with following entries.

example:

ServerLogOff.ldif

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orcldebugop

orcldebugop: 0

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orcldebugflag

orcldebugflag: 0

2. Goto follwing path $ORACLE_HOME/bin and execute following command

ldapmodify -h <host> -p <port> -D "cn=orcladmin" -w <password> -f ServerLogOff.ldif