This article is intended for Fusion Apps customers either starting out on their implementation or who are facing Lightweight Directory Access Protocol (LDAP) reconciliation issues. The content of this article relates to Release 5 (11.1.5) and later versions of Fusion Apps.
Although focusing on the subject of LDAP (Oracle Internet Directory) Store reconciliation with Oracle Identity Manager (OIM), this entry does also touch on other LDAP reconciliation processes. For wider reading on the topic of Identity Management in Fusion Apps, please refer to Fusion 11g Release 7 (184.108.40.206.0) TOI: IDM in Oracle Cloud and Fusion Applications (Fusion Learning Centre>Release 7> Technology Management>All Products) , or for user creation/employee data flows, refer to this broader article.
Oracle Fusion Applications rely on Oracle Identity Management Products to manage Users, Roles and Permissions. Application users are created by using the Hire Employee task within the Fusion HCM Core application. The Hire Employee task creates User(s) and Role(s) entries in the underlying identity store through Oracle Identity Manager (OIM). It may be Active Directory (AD) or Oracle's Internet Directory (OID) or any combination of those.
Although the users can be managed inside the Fusion HCM application, it is worthwhile to understand the process of synchronizing between HCM, LDAP store and Oracle User and Role entries within OIM to support environment setup & validation.
User creation in Fusion Apps is a business process that spans across both Core HCM and OIM. The creation of users happens slightly differently depending on whether the person is uploaded via File Based Loader (FBL) or manually entered in the UI.
In fact the area of LDAP synchronization can be broken down into two areas:
Let us first take the flows between Fusion HCM and OIM:
The section ‘‘Define Synchronization of Users and Roles from LDAP’ of the Oracle® Fusion Applications Common Implementation Guide explains that OIM maintains LDAP user accounts for users of Oracle Fusion Applications. Amongst other things, OIM also stores the definitions of abstract, job, and data roles and holds information about roles provisioned to users.
During an implementation, any existing information about users, roles, and roles provisioned to users must be copied from the LDAP directory to the Oracle Fusion Applications tables. Once the Oracle Fusion Applications tables are initialized with this information, it is maintained automatically.
To perform the initialization, the installation Fusion Apps super user should run the process ‘Retrieve Latest LDAP Changes’ (this is available via the ‘Run User and Roles Synchronization Process task, once an offering has been configured and a set up task list has been created). Once the ‘Retrieve Latest LDAP Changes’ process has been run, users can then be provisioned with roles through HCM. The process name appears as SyncRolesJob which was the process name for ‘Retrieve latest LDAP Changes’ in Fusion Apps 11.1.2 (and earlier versions).
For further details on how these two programs work, and when to schedule them, please see http://docs.oracle.com/cloud/farel8/common/OCHUS/F1210304AN1EB1F.htm.
Secondly, let’s look at the reconciliation processes between OIM and LDAP. These jobs can be broken down into
a) full reconciliation processes:
b) and incremental reconciliation processes:
The incremental LDAP jobs are not enabled by default, as some prerequisite steps are needed to point these to OID. Note that the actual configuration of integration between Oracle Identity Manager and LDAP is performed while installing Oracle Identity Manager. For further information on how to configure the integration of OIM with LDAP please refer to Configuring the Integration with LDAP in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
MyOracle Support Doc ID 1377101.1 describes how to identify which jobs are currently enabled or disabled in your environment. It also reminds the reader that as part of the installation and configuration of OIM, the LDAP jobs should be run in a particular order.
The full reconciliation jobs, as opposed to the incremental jobs, put a significant load on the OIM CPU (about 40% CPU usage). Hence it is advisable to run these when the system is not being so actively used. Please reference to MyOracle Support Troubleshooting: OIM Out of Sync with LDAP (Doc ID 1467067.1) for guidance and further troubleshooting .
To view all OIM/LDAP reconciliation jobs directly in your system, login to OIM as follows:
In general terms, these jobs ensure that HCM/OIM, and OIM and LDAP are in sync with each other. Without being synchronized, users may not be able to log into Fusion Applications because they are not in the identity store, so credentials cannot be verified. Data roles will not be visible in OIM after generating from the data role template until LDAP reconciliation has taken place.
The system roll-back feature ensures that if OIM cannot make changes correctly, then LDAP will roll back to reflect the same position as OIM. For further details please refer to Provisioning Data From Oracle Identity Manager to LDAP Identity Store.
The "LDAP Scheduled Tasks” link in the Oracle Fusion Middleware Administrator’s Guide for OIM, provides specific descriptions of each LDAP/OIM Reconciliation job. For example, the LDAP User Create and Update Reconciliation job reconciles user updates based on the change log from LDAP. The incremental reconciliation jobs make updates based on change logs. Compare these to the full reconciliation jobs, such as LDAP User Create and Update Full Reconciliation job, that reference all users under the search base (defined in the Directory Server IT resource) to do the reconciliation with the LDAP.
Retrieve Latest LDAP Changes process is always the first implementation task but can also be run periodically, say daily1, to keep the tables synchronized with subsequent updates to LDAP. For example, if you know that a failure has occurred between OIM and Oracle Fusion HCM, then you can run Retrieve Latest LDAP Changes to ensure that user and role information is synchronized.
It is recommended to run the Send Pending LDAP Requests process at least daily to ensure that future-dated changes are identified and processed as soon as they take effect. For example, you could schedule this process to automatically run daily.
For the LDAP/OIM reconciliation, it is generally recommended to run the full reconciliation (Job Name: LDAP Role Create and Update Full Reconciliation) periodically e.g. monthly, but run the incremental reconciliation (Job Name: LDAP Role Create and Update Reconciliation) more frequently in-between full reconciliations runs e.g. Daily or hourly.
Indeed, MyOracle Support Doc ID 1507370.1 recommends setting the incremental LDAP/OIM reconciliation jobs to run every 5 minutes or even more frequently, depending on your business needs, to avoid issues with asynchronous data from LDAP to OIM.
There are a number of articles on MyOracleSupport that provide guidance on LDAP issues. Generally speaking the cause of these issues are due to the LDAP reconciliation jobs not having been run, or not having been run in the correct order. Below are a few sample issues reported, included here as pointers for those who may be struggling to resolve an issue:
Once you’re up and running and happily synchronizing, please do give a thought to tuning your LDAP Synchronization jobs. Review to the MyOracle Support articles on Performance Tuning Guidelines and Diagnostics Collection for Oracle Identity Manager (OIM) (Doc ID 1539554.1) and Tuning Settings For LDAP Reconciliation Between OID And OIM 11g (Doc ID 1534049.1) for more information.
1 - Overview Chapter of Oracle® Fusion Applications Coexistence for HCM Implementation Guide 11g Release 6 (11.1.6) Part Number E20378-04