0
In a previous post, I uncovered how OIM talks with Active directory based on objectGUID values rather than samAccountName, or whatever else you may have setup in the Reconciliation Rules. This posed a problem for me, as I had 40K users with objectGUIDs from Production AD in a test environment. So obviously, none of the accounts were in sync between the two systems. Now, for the fix:
1. Rerun the Active Directory Target Reconciliation
This will resync them all for you. If the objectGUID is not an attribute that is on your recon list, make sure you add it. Also, you may need to clear out the lastReconTimestamp field on the AD IT Resource to make sure that you run the recon against all the users. This is the easiest way. Unfortunately for me, whomever installed this environment did not install / carry over the AD recon scheduled tasks. So this isn’t an option for me… What next?
2. Dump out a CSV of objectGUIDs and samAccountNames from AD, convert the objectGUIDs into a format that OIM recognizes, update the OIM database with the new objectGUIDs.
Lucky for me, I got to figure this one out on my own. =). Here’s how I did it:
First you need to dump out a CSV of all your users in active directory that you want OIM to be syncing up with (in my case, the test AD environment). There’s a tool that comes with AD called “csvde” that will handle this for you quite easily. If you’re using an LDAP browser and looking at a user record, the objectGUID will look something like this:
{FD3B2D30-0428-5348-941B-C405CC0341C2}
When you export the users into a CSV file, the objectGUIDs will look like this:
X’fd3b2d3004285348941bc405cc0341c2′
For my next trick, I needed to convert these into a format that OIM stores them at. If I look at this users objectGUID in the UD_ADUSER table, it will be this:
302d3bfd28044853941bc405cc0341c2
If you want to know how I did this, please read to the bottom. I’m going to skip over that part for now. For everyone else, I’ve made a simple command line utility called ADguid2OIM that will read in the CSV file of 2 colums and output them into a new CSV file with the OIM formatted guids. Woo hoo for you =). You can download ADguid2OIM here. I’m also making the source available (since it’s not the greatest, and you may want to customize it) at the bottom of this post too.
Now that you have the usernames and properly formatted objectGUIDs, you just have to update the OIM database repository with the new values. The table is UD_ADUSER and the field is US_ADUSER_OBJECTGUID. Just make sure that you have a backup of the database in case you mess it all up =).
Now with the correct GUID’s in place, all of your existing OIM users that are supposed to be already provisioned to AD will work correctly for updates! Yay!
I hope this helps someone else out, as I spent a good couple days figuring this all out and hitting my head against a wall a couple times =)
Take care!
.: Adam
For the techies…
Here’s how OIM is storing the AD objectGUIDs in it’s database:
AD objectGUID example: {FD3B2D30-0428-5348-941B-C405CC0341C2}
OIM stored version: 302d3bfd28044853941bc405cc0341c2
The first thing that I noticed is that the last half is the same (the last 2 chunks in the AD version: 941B-C405CC0341C2)
So that left us with just the first half. When you line them up and add the dashes to the OIM one, you may see what I saw:
AD: FD3B2D30-0428-5348
OIM: 302d3bfd-2804-4853
You’ll notice that the 3 different sets essentially stay the same, but the HEX values are just written in reverse. Take a look at the last set: 5348 and 4853. Split this into the 2 HEX values, 53 and 48, then swap them, and you get 4853. You do the same with the second chunk: 0428=2804 and then with the first set, it’s the same pattern, it’s just that there’s now 4 hex pairs all in reverse: FD 3B 2D 30 = 30 2D 3B FD. String these all together and you get the OIM version of the AD objectGUID: 302d3bfd28044853941bc405cc0341c2. Why Oracle is messing with the value and scrambling it all up? I have no idea.
The little .net command app I wrote is pretty straight forward and could probably be coded better by someone that codes for a living, so I’m putting the source up here in case someone wants to improve on it:
Source Code for ADguid2OIM:
Sub Main()
Dim strOriginal As String = “”
Dim strUsername As String = “”
Dim strNew As String = “”
Dim arrChunks(3) As String
Dim arrPieces(3) As String
Dim strLine As String = “”
Dim oRead As StreamReader
Dim oWrite As StreamWriter
oRead = File.OpenText(“input.txt”)
oWrite = File.CreateText(“output.txt”)
oWrite.AutoFlush = True
strLine = Trim(oRead.ReadLine())
Do While Not strLine Is Nothing And strLine <> “”
Dim arrItems(1) As String
arrItems = Split(strLine, “,”)
strUsername = arrItems(0)
strOriginal = arrItems(1)
‘ Strip out the extranious characters
strOriginal = LCase(Replace(strOriginal, “-”, “”, 1, -1, 1))
strOriginal = Replace(strOriginal, “X’”, “”, 1, -1, 1)
strOriginal = Replace(strOriginal, “‘”, “”, 1, -1, 1)
arrChunks(0) = Left(strOriginal, 8 )
arrChunks(1) = Mid(strOriginal, 9, 4)
arrChunks(2) = Mid(strOriginal, 13, 4)
arrChunks(3) = Right(strOriginal, 16)
arrPieces(0) = Left(arrChunks(0), 2)
arrPieces(1) = Mid(arrChunks(0), 3, 2)
arrPieces(2) = Mid(arrChunks(0), 5, 2)
arrPieces(3) = Right(arrChunks(0), 2)
arrChunks(0) = arrPieces(3) & arrPieces(2) & arrPieces(1) & arrPieces(0)
arrPieces(0) = Left(arrChunks(1), 2)
arrPieces(1) = Right(arrChunks(1), 2)
arrChunks(1) = arrPieces(1) & arrPieces(0)
arrPieces(0) = Left(arrChunks(2), 2)
arrPieces(1) = Right(arrChunks(2), 2)
arrChunks(2) = arrPieces(1) & arrPieces(0)
strNew = arrChunks(0) & arrChunks(1) & arrChunks(2) & arrChunks(3)
oWrite.WriteLine(strUsername & “,” & strNew)
strLine = Trim(oRead.ReadLine())
Loop
oRead.Close()
oWrite.Close()
End Sub
Back to top