Tuesday, April 1, 2014

OID Connector

I installed the OID Connector and configured an OID resource for it.  I tried to run the OU Lookup Reconciliation job but it always ended with an error "Failed: Error message can not be retrieved."  It was not immediately obvious what the problem was but upon reviewing the log files an error was noted.  The error is

[LDAP: error code 32 - No Such Object]; remaining name 'dc=companydc=com'
The problem is immediately obvious from the error.  There is no comma between the dc=company and dc=com parts of the base context. The comma is however, present in the resource configuration.

The Oracle OID Connector documentation specifies the following.


The example of single base context contains double quotes.  But the note for a multilevel base context says that each base context must be specified within double quotes.  This sentence implies that a single base context does not require double quotes when (sigh) indeed it does.




Monday, March 31, 2014

Set pre-defined Challenge Questions for use with Lost Password Management

In COREid, when configuring an attribute with the Semantic Type of Challenge, the only option for Display Type is Single-line Text. In order to set pre-defined challenge questions:


  1. Change the Semantic Type back to None

  2. Set the Display Type to Selection Menu, and add an option for each of the pre-defined questions

  3. Through an LDAP browser or LDAP import tool, locate the attribute definition (obattr=[attribute name],obclass=[user object class],o=Oblix,[COREid Configuration Container]) and add the value ObSChallenge for the attribute obsemantictype

  4. Restart the Identity Server

Pre-defining challenge questions can increase security by forcing users to answer only approved questions (as opposed to creating their own in free-form text). This allows administrators to select questions that the answers can not be easily obtained through social engineering or questions with common answers. Since the user's password can be reset by correctly answering to a displayed question, a weak challenge response is more of a security risk than a weak password.

IdXml SOAP Envelope Parsing Dot NET

More on Dot NET parsing for IdXml. It finally occurred to me that I could add namespace definitions to my hearts content to parse any doc (with multiple namespaces defined).



XmlDocument xml = new XmlDocument();
xml.LoadXml(someXmlString);
XmlNamespaceManager ns = new XmlNamespaceManager(xml.NameTable);
ns.AddNamespace("default", "http://www.oblix.com/");
attrNodes=xml.SelectNodes("/default:ObEventParams/default:ObParamList[@name='WfAttribute']/default:ObParam", ns);

OAM Identity and AJAX - A 'Light Services' Approach

You just can't turn around without hitting your head on some 'AJAX' these days. And, as it turns out, there are some pretty good reasons (here and here) for it. Assuming that you agree that there are real benefits associated with this new web tactic, lets take some time to look at what we can achieve by applying it to the OAM Identity System.

At Nulli, we've said it before and we'll say it again: There was some seriously good thinking going on at Oblix back in the day. While Microsoft was inventing the XMLHTTPRequest, the folks at Oblix we discussing the bold option of using (the very new) XSLT 1.0 to deliver an HTML user interface derived from the XML output of the Identity Server; a way to bring the directory service to the web in two short hops.

Now, chances are, if you are an Oblix / OAM customer that has made good use of the Identity System, you grimaced as you read 'XSLT'. And, in all fairness, it is true to say that the architectural decisions that Oblix made did have the result of pushing customers into technologies (namely XSL development) that they may not have chosen for themselves.

OIM Pre-populate Not Working

My colleague added a GTC resource to a user today but none of the pre-populate values got set.  Clicking the pre-populate button did not set the values either. Upon further inspection there were no pre-populate definitions set for the form.

We reverted to an older project and imported only the form definitions.  Once this was successful we tried adding the GTC resource to another user.  It still did not auto pre-populate the values but the pre-populate button itself worked.

We fired up the design console and went to Process Management > Process Definition and searched for the form. Checked the Auto Pre-populate check box on the process definition and saved it.  When we retested adding the GTC resource to another user it worked this time.

OIM Server in Admin Mode

Starting the OIM server goes to Running mode, it only starts in Admin mode.  The logs contain an error indicating there was a problem creating a connection pool.

<Dec 31, 2012 11:00:14 AM MDT> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "xxxxxxxxx": ORA-01034: ORACLE not availableORA-27101: shared memory realm does not exist

The xxxxxxxxx in the error matches the name of one of the data sources exactly.  Upon  closer inspection the Data Source did not belong.  It applied to the OIM cluster and that is why OIM started in admin mode.  Removing the offending Data Source from Weblogic and restarting the OIM managed service rectified the problem.

The origin of the Data Source is unknown; it was likely created erroneously.