After completing the Active Directory Connector installation on Oracle Identity Manager (OIM), if you execute the “Active Directory Group Lookup Recon” the “Active Directory Org Lookup Recon” is executed. Depending on the configuration done, one of the following scenarios could be encountered:
1. Active Directory Connector Server not installed
Error message: (org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnectors) not found
When you’re first installing the OIM AD connector, this could be the initial set of error issues that you’ll see post installation. Administrators might have missed the step of installing the connector server on the AD host machine or missed unpacking the AD Connector locale bundle under the connector server home directory. If this step gets missed, and the scheduled job for Group Lookup Recon or Org Lookup Recon is executed, the following error appears:
2. AD Connector Configuration using the wrong Connector Server Name
Error message: oracle.iam.connectors.icfcommon.exceptions.OIMException: oracle.iam.connectors.icfcommon.exceptions.OIMException: Invalid IT Resource Name [Connector]
AD Connector Server IT Resource is configured on OIM under IT Resources and the name provided there should be used for the following AD IT Resource: Connector Server Name. If there is a mismatch in the name provided, the aforementioned error appears when running the Lookup scheduled jobs:
3. AD Connector configuration set with Incorrect Connector Server password
Error message: Remote Framework key is invalid
Post installation of the Connector server on the AD host machine, it needs to be set up with a key for the connector to communicate with it. When the same key is entered in the Connector configuration page, the scheduled job execution shows this error:
How to solve this issue:
- Verify the password set in connector matches the one set on connector server.
- After setting the password on connector server, restart it.
4. AD Connector configuration set with AD user in wrong format
Error message: Unable to get Directory Entry
Connector configuration on OIM needs the AD administrative user credential to be able to look up the designated roles and organizations when respective scheduled jobs are executed. For this, the AD user format to be used is: <domain>/<Administrator user>. For example: oim/Administrator
There might be a case where the user is provided with the assumption that it would be similar to how the administrator user is provided for Security realm on WLS, namely: cn=Administrator,dc=domain,dc=com
When the incorrect format for the AD user name is provided, the error message listed above is seen while executing the Active Directory scheduled jobs.
These are some of the most common issues that can be encountered while setting up AD connector in Oracle Identity Manager. The solutions provided in this blog will help fix these issues and set up a working OIM environment with AD as the target.
If you’d like more help with your OIM environment, or if you’d like help upgrading your Oracle Identity Management environment from 11g to 12c before the December Premier Support deadline, we’re here to help. Contact us at Inspired ECM to let our experienced consultants get your environments running efficiently and successfully today.