• State Not Answered
  • Replies 7 replies
  • Subscribers 103 subscribers
  • Views 495 views
  • Users 0 members are here
Options
Related

OIM does not provision on Active Directory

andrea.guido-20250908055031

Hello everyone,

I am encountering a problem in One Identity Manager (OIM) 9.3.1 in the production environment: on rare occasions, OIM creates the identity on the Person, creates the row on the LDAPAccount table, but does not provision the account or group on Active Directory (Detail: we are using the LDAP connector to connect to Active Directory, not the AD connector).

Specifically, the current structure requires end users to assign business roles, which are associated with one (or more) system roles, which in turn are associated with an AD group. Therefore:

business role <--> (one or more) system roles <--> AD group

Example:

business_role_1 <> system_role_1 <> group_1

business_role_2 <> system_role_2 <> group_2

business_role_3 <> system_role_3 <> group_3

In addition to this, we have the dynamic role associated with account creation: that is, when an identity is created, the dynamic role that creates the account on AD is assigned immediately afterwards.

End users perform user creation and role assignment operations via the OIM API. API calls can include a single call to create the user and, a few moments later (literally moments, since everything has been automated), the assignment of the role to the newly created user. Alternatively, within a minute, there may be a dozen API calls for user creation and as many for assigning roles to newly created users.

On rare occasions, we have encountered an anomaly: OIM creates the account on AD, but does not assign the groups on AD to the newly created account, even though neither process (ldp_account_insert and ldp_group_provision) has failed. Furthermore, the logs from the synch editor are empty (in the second image, they are regular logs):

https://imgur.com/a/bb8UjB8

https://imgur.com/a/MFXAK31

(sorry for uploading to Imgur, but OIM Forum gives me an error if I upload images directly above)

Furthermore, on one occasion, in addition to not adding the groups to the AD account, OIM did not even create the account on AD, even though the ldp_account_insert process did not fail. Again, the logs from the synch editor are empty.

What can I do to identify the causes of this problem? How can I fix it?

I hope you can help me, any help is valuable.

Top Replies

Parents
  • 0

    Hello ,

    From what you described, it seems that your implementation contains a significant amount of custom logic and deviates quite heavily from the One Identity Manager standard.

    If I understood your setup and the issue correctly, the root cause could be one of the following:

    1. The synchronization project detects the insert of objects but does not generate the corresponding process.
      This may happen when synchronization rules or provisioning workflows are incomplete or incorrectly configured.

    2. A process is generated, but the target object cannot be found in Active Directory.
      For example, the system tries to add groups to an account, but the account does not yet exist in the target system at that moment.

    In our projects, we increasingly implement time‑controlled mechanisms—especially regular RECON operations—to catch exactly these types of inconsistencies between OIM and the target system.
    A concrete recommendation would be:

    Set up a daily synchronization cycle via the sync project that mirrors the entire OIM dataset to the target system.
    This ensures that missing objects are created afterward and manually modified objects in AD are brought back in line.

    Important:
    Do not run such a RECON blindly. Depending on your customizations, a full reconciliation may trigger many unexpected changes in the target system, which you may not want.

    One more question:
    Why are you not using the standard AD connector? Are there specific problems or limitations you encountered?

    I hope this helps. Feel free to reach out if you need further assistance.

    Cheers
    Marco

  • 0 in reply to kastenhuber marco

    Hello Marco,

    Thank you for your reply.

    You're right, we have some custom logic, but not to an extreme degree.

    However, when we installed and configured One Identity, I noticed the dynamic role scheduler: OOTB, the DR scheduler runs every hour, but due to customer requirements, we set it to 1 minute.

    While troubleshooting, I tried changing the scheduler to 30 minutes, and indeed, in the last 7 days, the anomaly described above has never occurred (previously it occurred a couple of times a day).

    Finally, we did not use the Active Directory connector to connect to AD because I had not correctly communicated to the customer which firewall ports needed to be opened to connect to AD. Since we did not have time to wait for the ports to be opened (bureaucratic process), we had to use the LDAP connector.

    Thank you for everything

    Andrea

  • 0 in reply to andrea.guido-20250908055031

    are you referring to this schedule? Dynamic roles check

  • 0 in reply to Troy Grandy

    Yes. after initial configuration i set the Dynamic roles check to:

    Occurs: Every minute

    Repeat every: 1 minute

    And 10 days ago i edited the Dynamic roles check to:

    Occurs: Every minute

    Repeat every: 30 minutes

  • 0 in reply to andrea.guido-20250908055031

    I do not recommend that. If you have a large number of dynamic rules especially ones with complicated queries they can take a while to run and one minute is not enough execution time. This is also relies heavily on the tempdb for dynamic rules. 

Reply Children