OID - EBS Registration issue as part of User Provisioning

Background Info: We were doing OID - EBS registration and as part of this process, ran the below command to register EBS with OID component.

$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes

As the above command results are successful and also logs are showing that registration went successful and also checked on OID level @ DIP component and provision profile created and syncing option are enabled.

However DIP Profile ( OID - EBS) status is shows as "Not Available" instead of Scheduled.

To correct this, we have followed the below approach.

1. De-registered the EBS instance.

     $FND_TOP/bin/txkrun.pl -script=SetSSOReg -deregisteroid=yes

2. Removed the references at EBS end.

     $FND_TOP/bin/txkrun.pl -script=SetSSOReg -removereferences=yes

3. Register again EBS with  OID along with additional parameters ( appname & svcname).

               $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes -appname=EBSNEW 

               -svcname=EBSTESTNEW

     Note: In this step, we used different name than EBS Instance Application name for  parameters (                                    appname & svcname). These 2 arguments are for just identification at DIP level. 

After these steps, we were able to see DIP Profile ( OID - EBS) status as "Scheduled" and User provisioning working as expected. We were able to see the records which are created at OID level are showing in EBS end (fnd_user table).

 

OID - Attribute "uid" is having domain info while populating User data from Microsoft AD

If configure the DIP profile to load the user records from Microsoft AD, the uid attribute is mapping with “userprincipalname” in AD level.

EX: userprincipalname filed in AD is testuser@companydomain.com [For given user]

We can verify profile from command line or GUI level.

Command line:

./ldapsearch -h oidHost.com -p 3060 -D "cn=orcladmin" -w welcome1  -b "cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory"  -s sub "objectclass=*" 

GUI level:

Connect to EM, goto DIP profiles section and verify the same from Domain Attributes section.

The entry for uid, looks like this.

 userprincipalname:: :user:uid: :inetorgperson:userPrincipalName 

We need to change it as shown below. Once we change this, @Damaininfo will be truncated from userprincipalname field.

userprincipalname:: :user:uid: :inetorgperson:userPrincipalName:trunc(userPrincipalName,'@') 

Then we can test the  same by creating a new entry in Microsoft AD and verify the uid attribute.

This is one way of making the changes. i.e. The mapping for uid is “userprincipalname". If not, we can have uid mapping to “SamAccountName”. In this case, we do not need to truncate any anything. Directly we can map and use "SamAccountName" for “uid” attribute.

OID - LDAP Search queries

Below are the different ldap queries for general OID tasks.

To run any of the ldap commands, make sure to export below set of commands based on your installation path.

export ORACLE_HOME=/u01/app/oracle/fmw/Oracle_IDM1
export ORACLE_INSTANCE=/u01/app/oracle/fmw/oid_inst1
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_INSTANCE/bin:$PATH


1. To get the list of attributes for specific user.

./ldapsearch -h oidHost.com -p 3060 -D "cn=orcladmin" -w welcome1 -s sub -b "cn=testuser,cn=users,dc=oracle,dc=com" "objectclass=*"

2. To get all the users.

./ldapsearch -h oidHost.com -p 3060 -D "cn=orcladmin" -w welcome1 -s one -b "cn=users,dc=oracle,dc=com" "(objectclass=orcluserv2)" "cn=*"

In this query, will get only top level users under the given container. However if we need to have sub records as well from the given container, use "-s sub" option instead of "-s one"

i..e.
./ldapsearch -h oidHost.com -p 3060 -D "cn=orcladmin" -w welcome1 -s sub -b "cn=users,dc=oracle,dc=com" "(objectclass=orcluserv2)" "cn=*"

3. To delete any set of users, use below query. Make sure to put all users entries in txt file.

In this case,
my "users-oid.txt" file contains below sample records and then will execute ldapdelete command.

<<
cn=weblogic1,cn=Users,dc=oracle,dc=com
cn=idmtest,cn=Users,dc=oracle,dc=com
>>

./ldapdelete -h oidHost.com -p 3060 -D "cn=orcladmin" -w welcome1 -c -v -f users-oid.txt