Monday, November 22, 2010

OID LDAP commands

Add users
./ldapadd -h hostname.company.com -p 389 -D cn=orcladmin -w passwd -f /home/oracle/software/New_Oid_Users.txt

Delete Users
./ldapdelete -h hostname.company.com -p 389 -D cn=orcladmin -w passwd -c -v -f /home/oracle/software/delete_users.txt

OIM: Installing the Design Console under Linux

Follow below URL, its a cool solution.

http://www.idmworks.com/blog/oim-installing-the-design-console-under-linux

It does work!!

Thursday, November 18, 2010

Make OIM portal load faster

Whenever a user tries to login to OIM admin console, OIM runs some additional SQL's to get the count of provisioning tasks, pending approvals etc, to display on the home page.
This can cause the home page to load slowly.

Since this information is not of much use in many organization on the home page, we can disable this additional SQL search and make sure only a link is placed on the home page to get to that same data.
To disable these counters, please execute below steps:

1) Login to Design Console with 'xelsysadm'

2) Go to Administration->> System Configuration

3) Search for the keyword "XL.WebAdminHome.CounterDisplay.Type"

4) Change the values from 'DayLimit' to 'CheckLink'

Now when a user logs in OIM he will see a link instead of counters.

For many users, the home page will be much faster from now on.

Special characters not allowed in name fields - OIM

The following fields in OIM do not support special characters:
  • User Login
  • Group Name
  • Organization Name
  • Resource Name
  • Process Name
  • Request Number
  • Column Label
  • Task Name
The following are the special characters that are not supported in the preceding fields:
  • Semicolon ( ; )
  • Pound ( # )
  • Forward slash ( / )
  • Percent ( % )
  • Equals sign ( = )
  • Bar ( | )
  • Plus sign ( + )
  • Comma ( , )
  • Back slash ( \ )
  • Double quotes ( " )
  • Less than ( < )
  • Greater than ( > )

If you are using your own form to create a user in OIM, make sure to restrict the above characters in the preceding fields.


The allowed special characters are as below :

! * @ $ ( ) ^ ? { } [ ] : ' ~ ` - _

Put these in a common regular expression pattern.

OIM user email field character restriction

If you are using OIM 9.0.1, then the user's email address field will only accept characters as defined in the below statement.

"The local-part and domain name portions of an e-mail address are restricted to ASCII letters, numbers, underscores, hyphens, and periods. The domain identifier portion of an e-mail address is restricted to ASCII letters and numbers"
(http://download.oracle.com/docs/cd/B32479_01/doc.903/b32455/componts.htm#CIHCCEAF)

But this restriction is removed in OIM 9.0.2 version. Below regular expression defined the characters allowed in the email address field in version 9.0.2

([\\w!#$%&'*+-/=?^_`{|}~])+[@](\\w|[-]|[.])+[.]([a-zA-Z0-9])+

So if you need all those special characters, you will have to make sure you are using 9.0.2 and not 9.0.1.

It is a patch update to upgrade from 9.0.1 to 9.0.2. So it should not be difficult.

Auto Approve Self Registered Users in OIM

By default, a self registered user will have to be approved by a administrator. To automatically approve Self Registered Users in OIM


1. Open the OIM_HOME/xellerate/config/FormMetadata.xml file.

2. Copy the following lines from <form name="SelfRegistrationApprovalForm"> to <form name="SelfRegistrationUserForm"> section:

<attributereference editable="true" optional="true">Organizations.Organization Name</attributereference>
<attributereference editable="true" optional="false">Users.Xellerate Type</attributereference>
<attributereference editable="true" optional="true">Users.Role</attributereference>

3. Save changes and restart the OIM Server.

4. Now when you try to do a Self Register, you need to enter values for Organization name, User Type and Employee Role.

5. Enter value for User Type as End-User.

6. Enter value for Employee Role as Full-Time (Note: The value should be Full-Time and not Full-Time Employee).

7. Submit request, and the request would get automatically approved.

New Blog for Identity Management

I have added a new blog which is dedicated for Oracle identity Management.

So if you are looking for any help of identity management, please check the below link.

http://identity-corp.blogspot.com/

Delete OID users and Groups

To delete all OID users, please follow the below steps.

Run ldapsearch to extract the names of all users.

ldapsearch -x -h oidserver.corp.company.com -p 389 -D cn=orcladmin -w passwd -L -b "cn=users,dc=corp,dc=company,dc=com" -s one "objectclass=*" dn > current_users.txt

From the file that is generated, Delete the text dn: (Use find - replace to do this). Also make sure that every entry is in one single line.

Run the ldapdelete to delete all the users from the file.

ldapdelete -x -h oidserver.corp.company.com -p 389 -D cn=orcladmin -w passwd -c -v -f current_users.txt

Login to oidadmin to confirm the delete.

Run the same for cn=Groups to delete all groups.

Migrate or copy users from one OID to another

When you set up a OID environment, you would want to copy or migrate the users from existing environment to the new environment.

Below steps will guide you on how to do it. (These commands are for Linux)

On the source OID
Set the $oracle_home appropriately. Example is below
$export ORACLE_HOME=/oracle/db/product/oid/

Go to $ORACLE_HOME/ldap/bin FOLDER
$cd $ORACLE_HOME/ldap/bin

Run the following command to export the users
$ldapsearch -x -h oidserver.corp.company.com -p 389 -D cn=orcladmin -w password -L -b "cn=users,dc=oidserver,dc=corp,dc=company,dc=com" -s one "objectclass=*" dn o cn gcpcompanycode givenname mail objectclass oimuserkey preferredlanguage sn telephonenumber userpassword > oid_filteruser.txt

Run the following command to export the groups
$ldapsearch -x -h oidserver.corp.company.com -p 389 -D cn=orcladmin -w password -L -b "cn=Groups,dc=oidserver,dc=corp,dc=company,dc=com" -s one "objectclass=*" > oid_filtergroup.txt

Copy the files generated (in this case oid_filteruser.txt and oid_filtergroup.txt) to the destination OID
$scp oid_filteruser.txt oid_filtergroup.txt otherOidServer.corp.company.com:/oracle/db/oid_files/.


On the destination OID
If this is a existing environment, then delete the existing users and groups before you import new users. To know how to delete the users, follow this link Delete Users in OID

Stop OID

Set the $oracle_home as follows
$export ORACLE_HOME=/oracle/db/product/oid/

Go to $ORACLE_HOME/ldap/bin FOLDER
$cd $ORACLE_HOME/ldap/bin

Then run the following commands one after the other. (DEVOID is the schema name of OID)
./bulkload connect="DEVOID" generate=true load=true file="/oracle/db/oid_files/oid_filteruser.txt"

Enter the password when prompted. Import will them complete in few seconds.

./bulkload connect="DEVOID" generate=true load=true file="/oracle/db/oid_files/oid_filtergroup.txt"

Enter the password when prompted. Import will them complete in few seconds.

Start OID

Go to oidadmin console and verify.

Unlock users in OID

There is always a need to unlock the user in OID. This can be done from the Konsole.

We must ideally create a file to do this so that we can use this multiple times.

Below are the steps.
  1. Create a file, say name it as unlockusers.sh.
  2. Paste the below content into the file.
    ldapmodify -p 389 -h servername.corp.company.com -D cn=orcladmin -w password -x -v <<EOF
    dn: cn=username, cn=Users,dc=corp,dc=company,dc=com
    changetype: modify
    add: orclpwdaccountunlock
    orclpwdaccountunlock: 1
    EOF
  3. Save and close the file.
  4. Give execute permission on that new file
    chmod +x unlockuser.sh
  5. Execute the file like
    ./unlockusers.sh

Next time on, all you need to do is change the username and execute the file.