ldap sync vs OID connector

LDAP sync vs OID connector


OID Sync Vs OIM connector into OIM 11G:

Update as of 12c version  - LDAP Sync is not supported in 12c release   (you need to use LDAP connector instead. For details check this here.
Here is download link for LDAP connector for 12c. (scroll down to OID connector under OIM 12c connectors)



I am writing this article to make it clear then you can decide what 'the best' option is the 'one' to follow into your solution:

1)Ldap Synch is a new feature that allows synchronization between OIM and OID. So, basically we cannot see all that tables into OIM Schema, but we can also follow some of them as 'Recon Events’ and 'Recon Errors' table to be populated.
For example:

•select a.RE_key,C.USR_LOGIN,C.USR_EMAIL,C.USR_FIRST_NAME,C.USR_LAST_NAME,B.USR_KEY,B.UGP_KEY,B.RE_ENTITY_TYPE,B.RE_CHANGE_TYPE,B.RE_LINK_SOURCE,B.RE_NOTE,B.RE_REASON,to_char(B.RE_CREATE,'DD/MM/YYYY HH24:MI:SS') RE_CREATE,to_char(B.RE_MODIFY,'DD/MM/YYYY HH24:MI:SS') RE_MODIFY,B.RE_KEYFIELD,A.RECON_ACT_KEY,A.RECON_USR_EMAIL,A.RECON_ORG_NAME,A.RECON_USR_TYPE,A.RECON_USR_EMP_TYPE,A.RECON_USR_PASSWORD,A.RECON_ORCLGUID,A.RECON_GIVENNAME,A.RECON_SN,A.RECON_DESCRIPTION,A.RECON_CN,A.RECON_DN,A.RECON_CHGLOGATTR_IDXLST,D.RJ_NAME,D.RJ_JOB_STATUS,to_char(D.RJ_END_TIME,'DD/MM/YYYY HH24:MI:SS') END_TIME,to_char(D.RJ_START_TIME,'DD/MM/YYYY HH24:MI:SS') START_TIME, D.RJ_TOTAL_TIME from OIM.RA_LDAPUSER A, OIM.RECON_EVENTS B, OIM.USR C,OIM.RECON_JOBS D  where A.RE_KEY=B.RE_KEY and b.usr_key=c.usr_key and c.usr_email=‘Thiago.leoncio@server.com' and b.rj_key=d.rj_key order by RE_MODIFY desc


2)LDAP sync now is a mandatory element for OIM11G-OAM11G integration. In the integrated scenario LDAP sync provides complete password lifecycle management. Only Users and Roles (roles details, hierarchy parts, membership attribute) are the main elements. LDAP sync does not synchronize Organizations.


3)You can keep working with OIM Audit part, but only the features related of UPA_* tables
For example:
•select b.usr_login,a.field_name,a.field_old_value,a.field_new_value,a.create_date,a.update_date 
from OIM.usr b, OIM.upa_usr c, OIM.upa_fields a 
where 1=1
and c.usr_key=b.usr_key
and a.upa_usr_key = c.upa_usr_key
and upper(b.usr_email) like upper('%thiago.leoncio%') and upper(b.usr_login) like upper('%thiago.leoncio%')
order by a.upa_fields_key desc


4) OID Ldap sync you don't need to worry about policies(eg: access) , Synch is very straight forward process. And for example: from OID doing reconciliation to OIM we have Ldap User,Role, Hierarchy and Membership that do their job to make this 'synch process' pretty and simple. Then, from OIM to OID we have bunch of EventHandlers related that goes and send info to OID update them. Also, from reconciliation perspective, full reconciliation here works as it shows: doing a full update on OIM. And incremental one reconciles based on last changelog into OID, for example, if you do a simple ldapmodify against any user into OID, it will change changelog there.

5)OID connector adds the LDAP instance as a resource or target system in OIM. There are a number of actions you can attach around your target systems such as: Workflows, provisioning operations, approvals, requests etc.

6)OID LDAP sync can be setup while installation of Oracle Identity Manager, or if you prefer, late.

I hope this helps,
Thiago Leoncio.



Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Session Timeout in Oracle Access Manager

SOAPUI - import certificate