OIM AD password sync connector

OIM AD password sync connector is used to synchronize passwords between Active Directory (AD) and Oracle Identity Manager (OIM)/now Oracle Identity Governance (OIG). If you have multiple Domain controllers then install the password sync connector on each Domain controller. Here is the latest document on AD Password synchronization
Good news, there is No Dependency on the Microsoft Active Directory User Management
Connector.  In earlier releases, you had to install the Microsoft Active Directory User Management
connector before you could start using the password synchronization connector. From
this release onward (in the above URL, again here), the password synchronization connector does not use any component of the user management connector. At the same time, password propagation from Microsoft Active Directory to Oracle Identity Manager can be configured to complement the features offered by the user management connector.

What does OIM AD Password Sync Connector do?
The Oracle Identity Manager Connector for Microsoft Active Directory Password Synchronization captures passwords changed on the target system and propagates them to Oracle Identity Manager. In other words the direction of password sync is from AD >> OIM (from AD to OIM).

Download link for connector LINK



Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I

This post covers things you must know regarding Microsoft Active Directory Password Synchronization
  • For Connector basics : ResourcesReconciliation, and Provisioning click here
  • For more information on type of connectors Java vs .NET (dot net) click here
  • For OIM connectors for Microsoft (Active DirectoryExchange, andWindows) click here
  • For OIM-OID connector architecture click here
  • For OIM-Oracle eBusiness Suite connector click here
  • For latest version of MS-AD password Sync and patch click here
Things you must know for Microsoft Active Directory Password Synchronization connector
  1. For Microsoft Active Directory Password Synchronization connector , Microsoft Active Directory User Management (UM) connector is pre-requisite. (You must first install Microsoft Active Directory User Management connector)
  2. Microsoft Active Directory User Management connector’s latest version (as of Sep 2012) is 11.1.1.5 where as Microsoft Active Directory Password Synchronization connector’s latest version (as of Sep 2012) is 9.1.1.5
  3. You can configure OIM 11g with Microsoft Active Directory User Management (MS-UM) 11.1.1.5 and  Microsoft Active Directory Password Synchronization 9.1.1.5
  4. Microsoft Active Directory Password Synchronization connector must be installed on Windows Active Directory Domain Controller machine
  5. If AD domain controller is running on multiple machines (for high availability/resilience) then you must install password synchronization connector on each domain controller machine
  6. MS-AD Password Synchronization Connector configuration is stored in registry HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync
  7. For Active Directory related configuration : HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ ADConfig
  8. ADPersistentStore is OU in Active Directory that will store data for users whose password can’t be synced from AD to OIM for various reasons (OIM not available, user not available in OIM etc).
  9. Change value of Log from N to Y , if you wish to enable logging in password synchronization (by default logging is disabled)
  10. LogPath represents directory in which logs are enabled (to enable logging set value of field Log to Y )
  11. For OIM related configuration: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ OIMConfig
  12. OIMhost is hostname where OIM managed server is running (For High Availability use load balancer name here)
  13. OIMPort is port on OIM managed server  is running (For High Availability use port number on which load balancer is configured)
  14. To disable Password Synchronization connector, set value of Disabled to 1 (0 means password synchronization is enabled)
  15. To enable logging for OIM related events set value of parameter OIMLog to Y , You will see file [TIME_STAMP]OIMMain.log
  16. AD will communicate to OIM server via SPML Web Service (WS) SOAP request over HTTP(S) like http(s)://OIMHost:OIMPort/spmlws/OIMProvisioning for OIM on WebLogic Server(Make sure to deploy SPML-DSML application on OIM Managed Server and application is in ACTIVE state)
  17. In [TIME_STAMP]OIMMain.logyou should see calls likeDebug [2/20/2002 12:54:42 AM] The SOAP start element is 
    Debug [2/20/2002 12:54:42 AM]
    Debug [2/20/2002 12:54:42 AM] The SOAP end element is 
    Debug [2/20/2002 12:54:42 AM]

Debug [2/20/2002 12:54:42 AM] The path is 
Debug [2/20/2002 12:54:42 AM] /spmlws/OIMProvisioning
Debug [2/20/2002 4:54:53 PM]


  • For connector installer related configuration HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ Install


  • More on Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know in Part II

    • For latest version of MS-AD password Sync and patch click here
    Share any tips/key point related to OIM’s Microsoft Active Directory Password  Synchronization by leaving comment

    About the Author Atul Kumar

    Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.
    follow me on:



    Leave a Comment:


    33 comments
    Mann saysJuly 10, 2013
    Can we achieve the same thing wihtout synch
    password synch connector?
    Like using OIM with OAM/ESSO/OID?
    Thanks,
    Mann
    Reply
      Atul Kumar saysJuly 10, 2013
      Password change from AD to OIM can be achieved only via password sync connector.
      Other option for password sync could be AD -> OID -> OIM (where password sync from AD to OID using AD-OID integration and then from OID to OIM using LDAPSync) – This will be less preferred route .
      Password Sync is better way as this is immediate , why don’t you want to use password sync ?
      Reply
    Mann saysJuly 11, 2013
    Atul Thanks for your reply.
    It really helps as always 
    Actually our Active Directory team is not happy with internal architecture of ‘password synch connector’. During password change it put internal lock which is not considered good here.
    One last suggestion.
    I was thinking in below direction but do not have experience on any other product other than OIM.
    Like I integrate anyone componenet of eSSO with AD so that esSSO password and AD password get in synch. Then integrating OIM with eSSO.
    Process might be password from AD >> eSSO>>OIM.
    Kindly ignore my ignorance and suggest.
    Thanks Again!
    Reply
    Don saysJuly 17, 2013
    Atul,
    How about the other way around? OIM to AD sync. Our set up is as follows.
    Our college maintains an Oracle ID for every past, current of course future students, faculty, staff, etc.
    Our department is currently managing authentication to our department lab systems in AD. This involves importing users each session into AD and setting a temp passwords with a require password change first log in.
    This works great except the user accounts are based on the college’s eID. Meaning the samaccountname is the same as the name in the college’s ID management system.
    This actually causes a lot of confusion since everyone typically chooses two different passwords for the same user name.
    So I was wondering if it is possible to set up a one way password sync from the Oracle IDM to AD.
    Seeing as our department only has a small subset of the overall users this makes even more sense to me.
    This is how I am hoping it would work. I get registration data for our department. I import new users based on their eID, set a default password for each new user, set user account control not to require password change, never expire. Then behind the scenes the through the connector server on the DC each users password is updated with the password stored in OIM.
    That way users can authenticate to our lab systems using the same password they use for everything else throughout the college.
    I have seen many examples of syncing like you initially show but none so far the way I am hoping to get things to work.
    Is this possible?
    Thanks,
    Don
    Reply
      Atul Kumar saysJuly 17, 2013
      @ Don,
      From your comment it is not clear which product with in IDM stack do you use to sync data from Oracle to AD. There are two things I can think of OID & OIM and both support password sync from OID/OIM to AD .
      Tell me which Oracle Product you use for authentication (where username/password is store) so I can tell you how to sync password from that source to AD or vice versa.
      Reply
    Don saysJuly 17, 2013
    Atul,
    Sorry for the delayed response. I was waiting to hear back what product we are running from our service center. I though we had moved up to Oracle but we still are currently on Sun Identity manager 5.2 patch 4.
    Don
    Reply
    praveen saysAugust 26, 2013
    Can any one help me in installing AD PASSWORD Sync for 11gR2.
    Reply
    praveen saysSeptember 17, 2013
    Thanks Atul its working fine…
    Reply
    chinna saysSeptember 19, 2013
    What about part 2???
    Reply
    pranav saysOctober 10, 2013
    I’m looking for part 2 as well. Do you have a link for it? I can’t find it when i do a web search.
    Thanks.
    Reply
    anonymous saysOctober 10, 2013
    What type of privileges/role should the OIM service account have to allow password change? Can it be part of the Administrators?
    Reply
      Atul Kumar saysOctober 10, 2013
      To add/delete account in AD. Yes it can be part of Administrators (but neeed to be – Just create/delete/modify)
      Reply
        V saysOctober 21, 2016
        I assume this is OIM administrators group but what would be the minimum Active Directory rights required for this account to synchronize the passwords between AD to OIM and vice versa?
        Reply
    » Help Me : Microsoft Active Directory Password Sync version and latest patch for Oracle Identity Manager 9.1.1.5.7 Online Apps DBA: One Stop Shop for Apps DBA’ssaysOctober 31, 2013
    […] Microsoft Windows, Microsoft Exchange, and Password Synchronization), I also posted about  Password Synchronization for Active Directory that must be installed on all Microsoft Active Directory Domain Controllers, and is used to sync […]
    Reply
    Ravi saysNovember 5, 2013
    Atul,
    Can you please suggest how to configure Password Sync connector on a clustered environment, we have more then 2 OIM servers configured. Can we configure OHS server for Password Sycn.
    Kindly suggest or provide any link to understand the configuration before implementing it.
    Reply
      Atul Kumar saysNovember 5, 2013
      @ Ravi,
      If you have more than one OIM managed server then either configure OHS server (mod_wl_ohs) or load balancer in front of OIM managed servers and ensure that you can access
      http(s)://OHS_or_LBR:ohs_or_lbr_listen_port/spmlws/OIMProvisioning
      During password sync connector install on domain controllers (you must install PWD sync on all DCs) when prompted for OIM Host and Port, use OHS or LBR listen host and list port number
      Rest all is same as single node OIM password sync
      Reply
    anonymous saysJanuary 6, 2014
    Could you please provide instructions to use SSL for password sync where OIM is in a clustered environment front ended by a LB?
    Reply
    mathmut saysMarch 27, 2014
    Hi Atul,
    We have an environment with OIM-AD pass sync installed on it and working fine. Users are allowed to change their passwords from both OIM and AD. But we sometimes get an error in OIM logs like “Error occurred while setting user password.” and when we check AD pass sync logs we saw that error is about password history. I have an opinion but not sure. When we change password from OIM we send it to AD by change user password task and when AD password is changed OIM-AD pass sync catches the process and sends new password back to OIM and this time OIM rejects the newly changed password with error “IAM-3030006:The following password policy rules were not met:Password must not be one of 4 previous passwords.”. Is there any solution to ignore this error which is actually not an error ?
    Reply
      Atul Kumar saysMarch 27, 2014
      @ mathmut,
      Change password policy in OIM that it allows previous passwords .
      —–
      Regards
      Atul Kumar
      Contact Us for Consulting Services
      Reply
    mathmut saysMarch 27, 2014
    Atul,
    Thanks but users are allowed to change passwords from both OIM and AD. If we allow previous passwords from OIM then we cannot control password history if user changes password from OIM self service.
    Reply
    Nirav saysApril 1, 2014
    Hi atul,
    I am using OIM 9i and am using custom built connector for AD and not the OOTB from oracle.But can i use the AD password sync connector provided by oracle along with my custom AD connector?
    As i saw a note by you that MIcrosoft AD connector is a pre-requisite for AD passwrd sync connctor.
    Reply
      Atul Kumar saysApril 1, 2014
      Nirav, I don’t see any problem with that as long as users are synced between AD and OiM. I am sending you message directly on your mail or contact me via contact us.
      Are you hitting any issue with password sync ?
      Reply
    Nirav saysApril 1, 2014
    hi Atul,
    I have mailed u ..
    Yes user password is not getting synced.
    “Unable to sync OIM user password.Run configparameter.exe is the status when i view in the event logs.
    Regards,
    Nirav
    Reply
    mathmut saysJune 20, 2014
    Hi Atul,
    oim ad password sync logs are enabled for our system. But it causes a problem about disk space. Is there a log appender config for this or do we have to disable logging?
    Regards,
    Mahmut
    Reply
    Jatin saysSeptember 17, 2014
    Hi Atul,
    As far as I have understood the requirement of AD Password Sync Connector, it is to sync the password changes from AD to OIM.
    But in my environment when i change the password of a user account in AD, it immediately changes the password of the OIM user.
    There is no Password Sync installed on the AD as far as i know. Even in the registry the folders that you showed in the screenshots are not present.
    Have i not understood the purpose of the connector or is there something else i need to check in AD to make sure that the password sync connector is not installed?
    Reply
    Salman Hamid saysNovember 25, 2014
    Hi Atul,
    How can we sync passwords from AD to OIM for all existing users in AD. So they can access the self service portal using their AD credentials.
    Best regards,
    Salman
    Reply
    Ashwin saysAugust 28, 2015
    Hi Atul,
    We imported the AD certificate recently in OIM and connected to AD via 636 port and we are not able to sync the users(data) from AD to OIM now both through 636 and 389 port but we are able to reset the password through 636. Can you tell me y the data is not syncing.
    Recently AD has been migrated to 2008. OIm version is 9.1.0
    Reply
      Atul Kumar saysSeptember 1, 2015
      In what Mode AD is configured ? Trust Source or something else
      For trusted source check scheduled job to pull users in running and there are no errors . Check OIM server log file to see sync is not happening . Create a user in OIM, assign AD account to this resource and check OIM logs .
      Reply
    newToOim saysOctober 2, 2015
    Hi,
    I am facing the same problem as Mathmut where a password change in AD gets pushed back into OIM and creates a cycle. Password can be changed through both OIM and AD.
    Anyone has any pointers on how to solve that problem?
    Thanks
    Reply
    Brian saysApril 21, 2016
    Hi Everyone,
    Can someone please provide suggestions on how to sync oracle E-Business Suite password with active directory? Thanks

    Comments

    1. do yuo know, if is it possible to configure AD password sync module to propagate the change password to 2 OIM enviroments (like one 11g and 12c in a migration scenario)
      thanks,

      ReplyDelete
    2. The OIM related configuration is set in this Registry Key: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ OIMConfig
      You may set the OIMhost which is hostname where OIM managed server is running - use a Load Balancer here, which directs traffic to both, your 11g and 12c OIM Hosts. Make sure you are using the same OIMPort for both OIM managed servers (11g and 12c). Of course you have to make sure all settings/configurations for both OIM Managed servers (11g, 12c) are same/identical. And OIMPort is port on OIM managed server is running- has to be same for both OIM/11g/12c managed servers.
      I would open a SR with Oracle also to make sure this setting is ok. The only catch here is to make sure both your 11g and 12c configuration for Managed servers are identical. FYI, the OIM AD password sync connector is available for 11g version only so you are using that version.

      ReplyDelete
    3. Thanks again for the article post.Really thank you! Fantastic.
      web methods training

      ReplyDelete

    Post a Comment

    Popular posts from this blog

    VMware fix for Invalid manifest and ova file import failed errors

    Session Timeout in Oracle Access Manager

    SOAPUI - import certificate